Firewall Wizards mailing list archives

RE: RE: PIX FW Failover & Hello Packet

From: "Sutantyo, Danny" <DSutantyo () livingstonintl com>
Date: Wed, 7 May 2003 09:59:20 -0400

Thanks for the response,
But the problem is when I enabled the failover. When I enabled the failover
2 int (inside and failover interfaces) are not in waiting mode, but other 3
int are in the waiting mode, these 3 int are plugged-into switch that has
trunking, span-tree, and port-channeling and if I remember correctly for
failover to work properly, the switch should not have this feature turned
on, right?

Thanks
Danny

-----Original Message-----
From: Dave Rinker [mailto:firewall () dsrtech com] 
Sent: Tuesday, May 06, 2003 09:20 PM
To: 'firewall-wizards () honor icsalabs com'
Cc: Sutantyo, Danny
Subject: Re: [fw-wiz] RE: PIX FW Failover & Hello Packet



Danny,

Here is the Cisco recommended config of the cables for both LAN and stateful
configs.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_installation_
guide_chapter09186a008017279b.html#1048874

Note you cannot configure failover if the units are not absolutely
identical. This includes 515 and 515E models.

The hello packets are sent over all interfaces every 15 seconds, if two
consecutive hellos are missed then the pix will start testing each and every
interface. (sounds like this might be your issue)

You should specifically check that you have spanning tree shut OFF on the
switch ports involved. If the switch detects a bridge loop it will delay
forwarding for 30 seconds (default) and cause the hellos to be missed by the
failover pix.

Hope this helps.

Dave



On Mon, 2003-05-05 at 16:45, Sutantyo, Danny wrote:

Hi PIX expert
I need help...

I have 2 PIX 515 fws and setup both of them to run as failover, and 
also I have put the ACL on each interface except "Failover" interface. 
For some reason after failover cmd is turned on for few minutes, then 
for awhile the Standby PIX failed, and it keeps checking all the 
interfaces.

The question is: The "hello" packet that PIX fw sends to all the 
interfaces, is it multicast or Cisco proprietary like Cisco CDP or 
something else?

Is it possible the ACL blocks the communication when PIX tries to send 
the "hello" packet, and then it fails?

Both PIX Fw is setup with 2 cables, and all the interfaces are plugged 
in to the switch that does not have trunking, etc. The inside int is 
connected to diff switch from the other 3 switch, and only these 3 int 
are in a waiting mode (waiting for hello packet), but not the inside 
interface and failover int.

Any idea?

Thanks
Danny

_______________________________________________
firewall-wizards mailing list firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

RE: PIX FW Failover & Hello Packet Sutantyo, Danny (May 06)
- Re: RE: PIX FW Failover & Hello Packet Dave Rinker (May 07)
- <Possible follow-ups>
- Re: PIX FW Failover & Hello Packet Mike Hoskins (May 07)
- RE: RE: PIX FW Failover & Hello Packet Sutantyo, Danny (May 07)
- RE: PIX FW Failover & Hello Packet Brian Ford (May 07)
- RE: Re: PIX FW Failover & Hello Packet Sutantyo, Danny (May 08)