topic Re: failover replication http issue in Network Security

failover replication http issue

cciesec2011 — Mon, 11 Mar 2019 20:20:03 GMT

I have a pair of Pix515 firewall running version 8.0(4) in Active/Standby and "stateful" failover. Everything seems to be working fine. I have a Apache web server running on Linux sitting behind the firewall and I the firewall NAT rule as:

CiscoPix# sh run static
static (inside,outside) 10.109.114.4 192.168.209.97 netmask 255.255.255.255

CiscoPix#
CiscoPix# sh run | i failover
failover lan unit secondary
failover lan interface failover Ethernet4
failover lan enable
failover polltime unit 1 holdtime 3
failover key *****
failover replication http
failover link state Ethernet5
failover interface ip failover 10.1.0.1 255.255.255.252 standby 10.1.0.2
failover interface ip state 10.0.0.1 255.255.255.0 standby 10.0.0.2

CiscoPix#
CiscoPix# sh run | i ip address
ip address 10.109.114.1 255.255.255.0 standby 10.109.114.2
ip address 192.168.209.254 255.255.255.0 standby 192.168.209.253
CiscoPix#

CiscoPix# sh run access-list 100
access-list 100 extended permit icmp any any log
access-list 100 extended permit ip any any log
CiscoPix# sh run | i access-group
access-group 100 in interface outside
CiscoPix#

class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
!
service-policy global_policy global

From a windows machine outside the firewall, I can upload a large file via http to the host 10.109.114.4 without any issues EXCEPT to simulate an actual failover, I performed a "reload" on the "Active" firewall. As soon as I reboot the Active Pix firewall, I immediately lost my http file upload. I also have telnet and ssh connection to this Linux server as well. The telnet and ssh connection to the same server stays connection as reboot the Active Pix and the standby Pix takes over the Active role. As you can see, I have "failover replication http" in the configuration.

Need to know why http connection does not failover when the Active Pix reboot.

Thanks

Re: failover replication http issue

Shrikant Sundaresh — Wed, 13 Apr 2011 01:03:29 GMT

Hi,

It takes a while for the failover to take place.(Unfortunately it isn't instantaneous) The SSH and Telnet connections keep trying to reconnect and ultimately succeed once the secondary has become active. However, the HTTP upload, perhaps, does not try to reconnect for as long as the SSH and telnet clients do.

If you take captures, I think you would see the PC trying to establish a connection for maybe a couple of packets, and then sending a reset or just interrupting the upload process. -Edit-

In the captures before the failover, you would ideally see alternating Data and ACK packets. Data going from PC -> server, and server sending an ACK for that data. However, when you do a failover, you should see only Data. Once the TCP window is full, and it still doesn't get an ACK, it might either retransmit or just drop the connection. Not sure of that. Captures would give you a clear picture though.

Hope this helps.

-Shrikant

P.S.: Please mark the question as answered if it has been resolved. Do rate helpful posts. Thanks.

Re: failover replication http issue

cciesec2011 — Wed, 13 Apr 2011 01:44:47 GMT

then how do you explain the fact that when I use http(s) connection to the same Apache web server to upload file, rebooting the Active Pix did not cause lost connection of uploading via http(s) to the same Linux server?

Re: failover replication http issue

Shrikant Sundaresh — Wed, 13 Apr 2011 01:59:13 GMT

I don't think https connections are replicated in a stateful failover. Only port 80 destined connections are replicated to the best of my knowledge.

For https, it most probably re-establishes a connection during the transfer. Again, the only way to confirm this would be to run captures on the PC from where you are uploading to the server. I suppose you would see another three way handshake soon after the failover.

I think it would be really informational, if you could do the wireshark captures for http and https and share the results on this thread.

-Shrikant

Re: failover replication http issue

jubetz — Wed, 13 Apr 2011 02:35:34 GMT

Try without http inspection enabled

Try to verify your conn is up on standby before you failover. It will be there in show conn

If still no joy we'll need to understand why connection aborts with packet capture.

Sent from Cisco Technical Support iPhone App

Re: failover replication http issue

jubetz — Wed, 13 Apr 2011 14:11:57 GMT

See CSCtl51268 Doc: Stateful failover support for inspected protocols is best effort

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtl51268

Please report back if removing http inspection allows this conn to survive a failover.

Regards,

-jb