Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4088
Views
3
Helpful
5
Replies

failover replication http issue

cciesec2011
Level 3
Level 3

‎04-12-2011 05:44 PM - edited ‎03-11-2019 01:20 PM

I have a pair of Pix515 firewall running version 8.0(4) in Active/Standby and "stateful" failover.  Everything seems to be working fine.  I have a Apache web server running on Linux sitting behind the firewall and I  the firewall NAT rule as:

CiscoPix# sh run static
static (inside,outside) 10.109.114.4 192.168.209.97 netmask 255.255.255.255

CiscoPix#
CiscoPix# sh run | i failover
failover lan unit secondary
failover lan interface failover Ethernet4
failover lan enable
failover polltime unit 1 holdtime 3
failover key *****
failover replication http
failover link state Ethernet5
failover interface ip failover 10.1.0.1 255.255.255.252 standby 10.1.0.2
failover interface ip state 10.0.0.1 255.255.255.0 standby 10.0.0.2

CiscoPix#
CiscoPix# sh run | i ip address
ip address 10.109.114.1 255.255.255.0 standby 10.109.114.2
ip address 192.168.209.254 255.255.255.0 standby 192.168.209.253
CiscoPix#

CiscoPix# sh run access-list 100
access-list 100 extended permit icmp any any log
access-list 100 extended permit ip any any log
CiscoPix# sh run | i access-group
access-group 100 in interface outside
CiscoPix#

class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect http
!
service-policy global_policy global

From a windows machine outside the firewall, I can upload a large file via http to the host 10.109.114.4 without any issues EXCEPT to simulate an actual failover, I performed a "reload" on the "Active" firewall.  As soon as I reboot the Active Pix firewall, I immediately lost my http file upload.  I also have telnet and ssh connection to this Linux server as well.  The telnet and ssh connection to the same server stays connection as reboot the Active Pix and the standby Pix takes over the Active role.  As you can see, I have "failover replication http" in the configuration.

Need to know why http connection does not failover when the Active Pix reboot.

Thanks

Labels:
0 Helpful
5 Replies 5

Shrikant Sundaresh
Cisco Employee
Cisco Employee

‎04-12-2011 06:03 PM

Hi,

It takes a while for the failover to take place.(Unfortunately it isn't instantaneous) The SSH and Telnet connections keep trying to reconnect and ultimately succeed once the secondary has become active. However, the HTTP upload, perhaps, does not try to reconnect for as long as the SSH and telnet clients do.

If you take captures, I think you would see the PC trying to establish a connection for maybe a couple of packets, and then sending a reset or just interrupting the upload process. -Edit-

In the captures before the failover, you would ideally see alternating Data and ACK packets. Data going from PC -> server, and server sending an ACK for that data. However, when you do a failover, you should see only Data. Once the TCP window is full, and it still doesn't get an ACK, it might either retransmit or just drop the connection. Not sure of that. Captures would give you a clear picture though.

Hope this helps.

-Shrikant

P.S.: Please mark the question as answered if it has been resolved. Do rate helpful posts. Thanks.

cciesec2011
Level 3
Level 3

‎04-12-2011 06:44 PM

then how do you explain the fact that when I use http(s) connection to the same Apache web server to upload file, rebooting the Active Pix did not cause lost connection of uploading via http(s) to the same Linux server?

0 Helpful

Shrikant Sundaresh
Cisco Employee
Cisco Employee
In response to cciesec2011

‎04-12-2011 06:59 PM

I don't think https connections are replicated in a stateful failover. Only port 80 destined connections are replicated to the best of my knowledge.

For https, it most probably re-establishes a connection during the transfer. Again, the only way to confirm this would be to run captures on the PC from where you are uploading to the server. I suppose you would see another three way handshake soon after the failover.

I think it would be really informational, if you could do the wireshark captures for http and https and share the results on this thread.

-Shrikant

jubetz
Level 1
Level 1

‎04-12-2011 07:35 PM

Try without http inspection enabled

Try to verify your conn is up on standby before you failover. It will be there in show conn

If still no joy we'll need to understand why connection aborts with packet capture.

Sent from Cisco Technical Support iPhone App

0 Helpful

jubetz
Level 1
Level 1

‎04-13-2011 07:11 AM

See CSCtl51268   Doc: Stateful failover support for inspected protocols is best effort

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtl51268

Please report back if removing http inspection allows this conn to survive a failover.

Regards,

-jb

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card