Hi,
To connect two PIX in a LAN failover enviroment, Cisco recommends to connect them through a switch but they don't explain why, can anybody tell me why a crossover cable won't handle the situation?
thanks
Failover isn't one PIX talking to the other. I assume you mean to connect the two PIXes NICs with a crossover cable. Each NIC requires a path to the outside.
I'm sure that a switch port is much more robust in handling all your network traffic as well. Crucial to have all available LAN bandwidth. Also - if you're using a hub you'll be talking lots of collisions etc.
"If you lived here, you'd be home by now!"
I use a crossover cable for the FO interface and it works fine. You might need a hub or a switch if you have a long distance between the two pix boxes.
Hi Baddos,
I've done with the configuration of the two pix units, failover is configured on both units (LAN failover is done with a crossover link connecting the two ubits).
When i unplug a cable (inside or outside) standby unit is switching to active and everything seems to be ok, the problem comes when i shut down the active unit, failover isn't switching, and the resul that i have is one standby unit and that's all!!
is it bacause am not using a switch to connect the failover cables from both sides???
thanks
I will post my failover configuration tomorrow as soons as i'll be at work but to tell you, it's a basic lan failover configuration the only parameter i changed is the failover poll interval i put it to the minimum (3 seconds).
but here is a little description of my architecture:
Unplugging the inside or the outside cable on the primary/active causes failover. OK
Reloading the primary/active unit causes faiover to the standby: OK
Powering down the Primary/active unit make nothing!!!
When i type a show failover on the standby unit in this case, the result is that the status of all the interfaces is Normal!!! although i can't ping any of the interfaces!!
I'm wondering if i'm having this result because i'm not using a dedicated switch to connect the 2 units...
Thanks for your help..
You don't need a switch to do this. You can through a cheap hub or switch in there temporarily to double check though.
There must be something funky in your configuration. Unplugging the cables causes the FO, but powering off doesn't (which doesn't make sense, because both cause link failures).
Are you using the serial FO cable as well as the LAN?
bad dos,
Tomorrow i will test with a switch and with a hub, but i don't believe that this should change anything...
I don't see what can be funky with the configuration, i am using a typical configuration provided by cisco, the only things that differ with the cisco reccomended configuration:
- failover poll time is set to 3 seconds.
- I am not using portfast on the the outside switches (but i don't think that this should change anything, since unplugging outside cables causes FO).
- I'm not using a switch or a hub to make the LAN FO.
- I am not using the Cisco FO serial cable, since i have more than 100 meters between the two units!
If you have 100 meters between the two PIX boxes, you should seriously consider using a hub or a switch to connect the two of them. This will make sure the cable has the proper power. I wouldn't use a regular crossover cable in a PC-PC configuration further than say 5 meters. A switcth-switch or hub-switch or hub-hub is a different story.
You should use portfast on all ports connecting to the PIXs'.
However, I don't think these should cause what you are having problems with.
ip address inside x.x.x.150 255.255.255.0
ip address outside y.y.y.254 255.255.255.0
ip address fo z.z.z.177 255.255.255.248
ip address stateful-fo t.t.t.t 255.255.255.248
failover
failover timeout 0:00:00
failover poll 3
failover ip address inside x.x.x.151
failover ip address outside y.y.y.253
failover ip address fo z.z.z.178
failover ip address stateful-fo t.t.t.170
failover link stateful-fo
failover lan unit primary
failover lan interface fo
failover lan key ********
failover lan enable
An on the secondary unit:
ip address inside x.x.x.150 255.255.255.0
ip address outside y.y.y.254 255.255.255.0
ip address fo x.x.x.177 255.255.255.248
ip address stateful-fo x.x.x.169 255.255.255.248
failover
failover timeout 0:00:00
failover poll 3
failover ip address inside x.x.x.151
failover ip address outside y.y.y.253
failover ip address fo z.z.z.178
failover ip address stateful-fo t.t.t.170
failover link stateful-fo
failover lan unit secondary
failover lan interface fo
failover lan key ********
failover lan enable
I did the test:
a switch connecting the two PIX to make the LAN FO.
Portfast is enabled on all the ports connecting the two pix.
i have the same result :-(
When shutting down either of the 2 PIX, the other one sees that his peer is in a normal state!!!
A show failover on the secondary unit while the primary is shut down gives:
sh fail
Failover On
LAN-based Failover is Active
On the primary unit:
Failover On
Serial Failover Cable status: My side not connected
Reconnect timeout 0:00:00
Poll frequency 3 seconds
This host: Primary - Active
Active time: 3306 (sec)
Interface stateful-fo (t.t.t.169): Normal
Interface inside (x.x.x.150): Normal
Interface outside (y.y.y.254): Normal
Other host: Secondary - Standby
Active time: 3384 (sec)
Interface stateful-fo (t.t.t.170): Normal
Interface inside (x.x.x.151): Normal
Interface outside (y.y.y.253): Normal
Logical Update Queue Information
Cur Max Total
Recv Q: 0 1 410
Xmit Q: 0 1 409
LAN-based Failover is Active
interface fo (z.z.z.177): Normal, peer (z.z.z.178): Normal
On the secondary unit:
Failover On
Serial Failover Cable status: My side not connected
Reconnect timeout 0:00:00
Poll frequency 3 seconds
This host: Secondary - Standby
Active time: 3384 (sec)
Interface stateful-fo (t.t.t.170): Normal
Interface inside (x.x.x.151): Normal
Interface outside (y.y.y.253): Normal
Other host: Primary - Active
Active time: 2733 (sec)
Interface stateful-fo (t.t.t.169): Normal
Interface inside (x.x.x.150): Normal
Interface outside (y.y.y.254): Normal
stateful-fo is serving for the stateful failover, and has nothing to do with the lan failover.
I don't understand why i should change it.
I'm using PIX OS 6.2 (2), i'll test an upgrade to 6.3.1
I already noticed that you've a bad experience with this version
I am running 6.3.1 right now. The problem I had w/ 6.3.1 is that you can't upgrade to the new version while the other pix is turned on. Their suppossed to fix that for the next version.
The reason why you should change that command, is because you don't have an interface named "fo" or at least what I could tell. You should set it to the correct interface name "stateful-fo".
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.