PIX LAN Failover 1

[HTY]

Hi,
To connect two PIX in a LAN failover enviroment, Cisco recommends to connect them through a switch but they don't explain why, can anybody tell me why a crossover cable won't handle the situation?
thanks

 

[HTY]

I do have an interface called fo:

nameif gb-ethernet0 inside security100
nameif gb-ethernet1 outside security0
nameif ethernet0 fo security20
nameif ethernet1 stateful-fo security30

For the upgrade to 6.3.1 I will stop the failover between the two units before the upgrade.
Tell you tomorrow what happens
Thanks for your help.


HTY

 

[baddos]

Why are you using two interfaces for the failover? You only need one. I would save the other one for a DMZ or something else.

 

[HTY]

2 interfaces for failover because, there will be a huge number of connections to be synchronized between the two units, so a dedicated link should be fine.


HTY

 

[baddos]

Saturate a 100Mb link though? I think having the two different links might be causing a problem. For trial and error sake, let's set it up to only use one and see if that fixes the problem (I know it shouldn't). If it doesn't you can set it back up the way you had it.

Also, is your secondary PIX's config up to date w/ the primary? A "write standby" will force a sync.

 

[HTY]

Secondary PIX is up to date, i verified that sooner by issuing a "wr erase" in the standy and a "wr standby" on the primary, this works fine.
It's a good idea to test with one cable, i'll do that tomorrow before upgrading to 6.3.1

HTY

 

[HTY]

Hi,
Here are the results of the tests:
With no stateful between the units: same problem.
stateful configured on the lan failover interfaces: same problem.
Upgrade from PIX OS 6.2(2) to 6.3(1): same problem!!!!
I asked my resseller to pen a case at the TAC.


HTY