Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
570
Views
0
Helpful
4
Replies

PIX loadbalancing woth CSM - probe problem

aobszynski
Level 1
Level 1

‎03-29-2004 07:06 AM

2 CSM/CATs on one side (FT)

2 CSM/CATS on other (also FT)

load balancing 2 PIX 535.

probing icmp pings only "direct" pix interface

the opposite interface will never answer to ping.

So switching off int in one pix make real FAILED on one side but other side still have working real and sends traffic to one leg PIX.

How to solve that ?

Labels:
0 Helpful
4 Replies 4

jfoerster
Level 4
Level 4

‎03-29-2004 07:56 AM

HI,

just define a probe which is pinging through the pix (e.g the GW on the otherside of the pix) If this ping fails this server will be removed. Make sure that your pix allows this traffic.

Kind Regards,

Joerg

0 Helpful

aobszynski
Level 1
Level 1
In response to jfoerster

‎03-30-2004 03:43 AM

I test that, it should work but when you have 2 pixes

and 2 CSM one both ends.. (CSMs and PIXes are directly connected via CAT Gig/Fe ports)

you need define 2 static routes on every CSM that working fine. But you also need to define statics on "standby" too.

ie:

networks 192.168.27 divded on 2 halves..

.124 - .1 - .129 - 253

.123 - .2 - .130 - 252

alias .125 alias .254

In such situation only "one halve" can works

0 Helpful

jfoerster
Level 4
Level 4
In response to aobszynski

‎03-30-2004 08:54 AM

Hi,

maybe I understood something wrong. What you are doing is firewall loabalancing (2 active FWs inbetween a CSM and the 2nd CSM for failover) which is partly described in http://www.cisco.com/en/US/products/hw/modules/ps2706

/products_configuration_example09186a008020cd7c.shtml

This works absolutely fine. Unfortunaltey I did not realy get what is not working and why you need two routes. When you talk about the standby, are you having a PIX-failover bunlde or what is it that you want to achieve. Maybe you can attach a drawing what you want to achieve including the topology.

Regards,

Joerg

0 Helpful

aobszynski
Level 1
Level 1
In response to jfoerster

‎03-30-2004 09:19 AM

I thinking about that:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/cfgnotes/csm_3_2/icn/fwldbal.htm#1037625

when Firewall 1 and Firewall 2 are pinged on directly connected interfaces then directly connected probe detect pix problem. But problem with whole PIX device is less typical than one of his interfaces down (ie. fiber patchcord unplug) than one (opposite/working) interface answers with ping and CSM sends traffic to that "real".

Great solution will be pinging opposite pix interface

but this isn't supported by PIX ASA. So i have tried

ping "any" ip behind pix which is currentl ip address of CSM VLAN.

When you had one PIX there is no a problem... but when you had two of them you need check both of them.. you defining static route:

ip_behind_pix VIA ip_pix_direct_int

Then thing not only about ECHO REQ but also on ECHO REPLY - there is no way to put static routing for those devices what active and standbys on both sides will detect pix interface errros...

There is no way to put REPLY on different gate than ECHO REQ...

Think of it drawing 6 icons, giving them 10 ip (2 for pix inside and outside, one for every CSM) adds

and then try set up static route that ping REQ and reply will go the same way. There is no such way...

IMHO 8-)

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card