topic Re: PIX and OSPF in Network Security

PIX and OSPF

ali-franks — Fri, 21 Feb 2020 07:40:11 GMT

Hi All,

I'm aware that the PIX does not provide load balancing functionalty at the moment - that's coming in version 7 apparently.

However, my query is this:

Instead of using a failover pair, has anyone implemented the use of two PIX running OSPF in order to load balance outbound traffic? I see no reason why this shouldn't work provided the interfaces on the inside of the PIX's are connected to router/s with different VLSM subnets

Any comments please?

Regards

Ali

Re: PIX and OSPF

lr.moore — Sat, 09 Oct 2004 19:59:22 GMT

Agree with you. OSPF should also allow you to have two separate routers out in front of it participating in OSPF, giving the PIX two equal cost routes.. Interesting theory. I shall try that in my lab....

Unfortunately, I only have one PIX to play with, so I can't test your theory of having dual PIX's. The only problem with that scenario is that you have to have a router on the inside that all the clients/users point to for their default gateway...

Re: PIX and OSPF

lr.moore — Sat, 09 Oct 2004 20:46:42 GMT

Well, my experiment worked...two outside routers, both advertising default, two equal cost routes out of the PIX

O*E2 0.0.0.0 0.0.0.0 [110/1] via 10.2.2.1, 0:01:59, outside

[110/1] via 10.2.2.3, 0:01:59, outside

Re: PIX and OSPF

ali-franks — Tue, 12 Oct 2004 11:37:10 GMT

Thanks Leslie, I just needed the sanity check. Thanks also for taking the time to try it in a lab.

Ali

Re: PIX and OSPF

HENRIQUE REIS — Sat, 30 Oct 2004 21:20:14 GMT

I am trying to implement this right now. Running into a few problems. I've been finding that if traffic flows out one pix, then subsequent packets of the same flow exits the other pix it breaks. I'm pretty sure it's because of ASA not allowing a previously built connection from one pix to go out another. This is just theory.

The way I have implemented it so far is by redistributing static (the default route) into ospf. I have a 2651 router in front of the two pixs, and it's routing table shows the two default routes of equal routes.

I've noticed though that the router is just choosing one default gateway and sticking to it for most of the time.

So here comes my current problem: If I try to modify the costs of the default routes to favour one default route over the other, nothing changes as far as the administrative distances on the 2651.

I'm stumped.

Re: PIX and OSPF

HENRIQUE REIS — Sat, 30 Oct 2004 21:23:45 GMT

Just adding to this....

After reading some replies, I found my implementation is different so my problem is different..