Firewall Wizards mailing list archives
RE: pix firewall - failover and logging issues
From: "Claussen, Ken" <Ken () kccweb com>
Date: Wed, 5 Feb 2003 12:55:09 -0500
While this is partially true there is a certain amount of communication which occurs on the network segments themselves. To clarify my earlier statement, Each interface on the Primary has a corresponding interface on the Standby unit. The corresponding interfaces must be on the same network segment so they can send and receive HELLO packets. When an interface misses a packet the Pixen use the serial cable to initiate the failover testing process. The confusion is coming from the idea of Stateful Failover. In Stateful Failover the state table less HTTP is sent back and forth across a dedicated NIC. This cable is only necessary for transferring the state information. However even without this the interfaces must be able to speak to each other. This talking is done through each interface and it's corresponding standby interface. The testing process actually occurs over each of the network interfaces. For further reading see the following link: http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801049b7.html#37997 (Watch wrap) http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a00800eb72f.html The following excerpt is taken from the link above: The two units send special failover "hello" packets to each other over all network interfaces and the failover connection every 15 seconds... The failover feature in PIX Firewall monitors failover communication, the power status of the other unit, and hello packets received at each interface. If two consecutive hello packets are not received within a time determined by the failover feature, failover starts testing the interfaces to determine which unit has failed, and transfers active control to the secondary unit." The key here is the packets must be received on each interface. If the corresponding interfaces do not share a common network segment they will not "See" these Hello packets and failover will more than likely be initiated. Ken Claussen MCSE CCNA CCA "In Theory it should work as you describe, but the difference between theory and reality is the truth! For this we all strive" -----Original Message----- From: Symon Thurlow [mailto:sthurlow () webvein com] Sent: Wednesday, February 05, 2003 10:52 AM To: Claussen, Ken; Luciano Z; firewall-wizards () honor icsalabs com Subject: RE: [fw-wiz] pix firewall - failover and logging issues I may be incorrect, but it is my understanding that the serial failover cable can be used by itself for failover, however you need to use the LAN and Serial failover if you want Stateful failover. Also, not sure of your platfrom, but I had an issue with failover on a PIX515e bundle, it was erratic and pretty much just didn't work. Also, the performance was absolute cr*p. The answer from the reseller was to send both boxes back, and they were replaced. The reseller mentioned that they had seen this problem before. Symon ________________________________ From: Claussen, Ken [mailto:Ken () kccweb com] Sent: Wed 05/02/2003 12:37 AM To: Luciano Z; firewall-wizards () honor icsalabs com Subject: RE: [fw-wiz] pix firewall - failover and logging issues The first answer is you are required to use LAN side failover communication to control the failover process. Each pair of interfaces must either be on the same dumb switch, a series of two switches with a crossover and a single VLAN, or a common VLAN on a layer 3 switch (not the best for security). In other words there must be communication between the corresponding network cards in the Primary and Standby units in order for Hello packets to be sent back and forth. When one of the Pixes fails to answer the Hello, the failover bundle begins a series of tests. It determines if the network interface failed and if so it switches to the Secondary. It is important to make sure the interfaces are on a common network segment before configuring new subnets. The serial cable is used for sending the configuration and the control signals. When the primary determines it's interface has failed it passes control to the secondary. It is usually a good idea to disable Failover before making any changes which affect interface IP addresses. The command "Show Fail" will provide the current status of each interface on each Pix. Normal is good, other options may be Testing or Failed. About logging, Syslog is the way to go. Like previously mentioned Level 7 will provide all messages. Filtering of messages is best done at the syslog server. Kiwi provides a free Windows Syslog daemon www.kiwisyslog.com . If you purchase the full version it has an extensive filtering rule section. HTH. I have almost always logged at level 7 and never seen significant performance degradation. SHOW CPU USAGE is an undocumented command to show utilization if you are concerned about performance. Ken Claussen MCSE(NT42K) CCNA CCA "In Theory it should work as you describe, but the difference between theory and reality is the truth! For this we all strive" PS I Don't have my encoding set to UTF-8. It specifies Western European (windows) for Internet recipients. -----Original Message----- From: Luciano Z [mailto:user_luciano () yahoo com br] Sent: Tuesday, January 28, 2003 2:03 PM To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] pix firewall - failover and logging issues Hi! I have two questions about pix firewall for the list. The first one is directed to failover users. I´m using a pix with version 6.1(1) software and with stateful failover (I think this version needs update, right?).
From time to time I experiment lost of ssh connection
to the active pix because it have changed from active state to standby state. I couldn´t find the reason for this because we just checked the cables and it was operating well before I create another subnet attached to this firewall, changing the address of and unused interface. In this situation I´m not using LAN based failover (this version doesn´t support it) so the I have the serial cable in place. Someone had some problem that looks like my? Is it possible to start looging to the syslog server just the messages related to failover events? Second question, this is about logging of URL access. I´ve read the pix could log the URLs accessed by the users on a protected network. My question is about the performace impact of this feature. Anybody used this? What was the impression about it? And again: Is it possible to log just the events related to this? Well, thanks for your time! [] Luciano _______________________________________________________________________ Busca Yahoo! O serviço de busca mais completo da Internet. O que você pensar o Yahoo! encontra. http://br.busca.yahoo.com/ _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards =============== This email has been content filtered and subject to spam filtering. If you consider this email is unsolicited please forward the email to postmaster () webvein com and request that the sender's domain be blocked from sending any further emails. =============== _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: pix firewall - failover and logging issues Claussen, Ken (Feb 04)
- <Possible follow-ups>
- RE: pix firewall - failover and logging issues Scot Hartman (Feb 05)
- RE: pix firewall - failover and logging issues Symon Thurlow (Feb 05)
- RE: pix firewall - failover and logging issues Luciano Z (Feb 05)
- RE: pix firewall - failover and logging issues Claussen, Ken (Feb 05)
- RE: pix firewall - failover and logging issues Symon Thurlow (Feb 06)
- RE: pix firewall - failover and logging issues Scot Hartman (Feb 06)
- RE: pix firewall - failover and logging issues Symon Thurlow (Feb 06)