Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
849
Views
0
Helpful
5
Replies

CSS Failover issue

sudhir.rai
Level 1
Level 1

‎09-13-2010 05:07 AM

Hi All,

We are planning to use two CSS 11506 devices in the Box-Box redundancy method as per our design requirement.

We suspect that the failover does not work if the primary loadbalancer fails and active pixfirewall is still up.as the pix fails to update Gratitious ARP because of its security parameter .

Kindly suggest if any other method is possible to achive 100% redundancy in active -standby failover design.

Labels:
Preview file
22 KB
0 Helpful
5 Replies 5

Gilles Dufour
Cisco Employee
Cisco Employee

‎09-13-2010 11:40 PM

box-to-box is the least interesting solution.

Better go for interface/vip redundancy.

This method can allow  you to configure stateful redundancy with isc link.

Failover are faster.

More complicated to configure but you get a better control.

Also, if you connect directly the pix/firewall into the CSS, you indeed have problem if one css fails but not the pix.

You need to add a switch between css and firewall.

Or find a way to connect each firewall to each css.

Gilles.

0 Helpful

sudhir.rai
Level 1
Level 1
In response to Gilles Dufour

‎09-14-2010 12:32 AM

please refer to the document attached ...between firewalls and CSS we have 2 switch , but then too we suspect whether

failover will happen if css fails and primary pix is still up if we go to BOX to box reduandancy.

Preview file
22 KB
0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to sudhir.rai

‎09-14-2010 01:07 AM

You need to interconnect the switch

    PIX-1                         Pix-2

      |                                  |

      |                                  |

    Switch-1 -----------------Switch-2

      |                                  |

      |                                  |

    CSS-1 ----------------------- CSS-2

Like this, you can have PIX1 active with CSS-2 active.

Traffic will go from CSS-2 to switch-2 to switch-1 to pix-1.

Gilles.

0 Helpful

sudhir.rai
Level 1
Level 1
In response to Gilles Dufour

‎09-14-2010 02:36 AM

hi,

Thanks for your reply....

Switch is already interconnected ( sorry for the wrong diag)

But my concern is if When we configure reduandancy of CSS in VRRP mode and in case CSS 1 fails and CSS 2 becomes active its VIP will be same with different mac -id  of CSS2 .

In  above case when the traffic moves from CSS2 to PIX 1 (active via interconnected switch) pix has already has same ip (VIP)  with different mac-id (CSS1) . In this case pix will deny the gratious ARP until it clears its arp cache which is by default 4 hrs. Also we cannot reduce this time as this is will affect the performance .

Please revert if something is missing from my side.......

Looking forward for suggestion or any other method  by you..

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to sudhir.rai

‎09-14-2010 04:18 AM

The CSS will use the same mac-address for the vip when they are in redundant mode.

So the pix will continue using the same mac.

The CSS that becomes primary will send a G-ARP so that the switch learns the new path to the owner of the virtual mac-address.

So this is covered.

No worries there.

Gilles.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card