cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Active-Active in PIX Ver.7

haithamnofal
Participant
Participant

Hi,

I have a question about Active-Active configuration in PIX Ver.7. After configuring my primary PIX FW with 2 security contexts and with 2 failover-groups, and after applying the needed configuration as illustarted in the online config guide, I connected the serial cable b/ the primary and the secondary firewalls in the correct way and typed the failover command on both firewalls to allow config replication b/ them. The configuration was not replicated though, until I rebooted my primary PIX when the configuration was replicated PARTIALLY from the primary to the secondary; for example only the admin context configuration what was replicated where the ctx1 context configuration wasn't replicated at all!! What surprised me also is that my primary PIX name was overwritten by the name of the secondary!!

Do I need to do anything on the secondary firewall before applying the "failover" command; do I need for example to create a ctx1 context in the secondary PIX? I noticed that I need to switch it to muti-mode, but is there any other configuration that should be applied on the secondary in order for the replication to happen? Please advise!

Regards,

Haitham

6 REPLIES 6

nkhawaja
Cisco Employee
Cisco Employee

you dont need to create the contexts, but both the pix has to have set in multi context mode.

may be the secondary pix's context was active, hence it overwrite the primary pix.

show us your configs and we can better answer

thanks

Nadeem

Hi Nadeem,

You are right, the secondary PIX admin context was active and configured with a different configuration which might caused the problem, but the strane thing is that the replication happened from the secondary to the primary! Do you have an explanation for this?

After erasing the configuration on the secondary unit, I managed to replicate the configuration correctly from the primary to the secondary and things look OK, only one weird thing I'm getting when I run the "show failover state" command from the primary; it's showing:

Primary | Active |

====Other State===

Secondary | Standby |

====Configuration State===

Sync Done

====Communication State===

Mac set

=========Failed Reason==============

My Fail Reason:

Other Fail Reason:

Comm Failure

Does the comm failure message indicate anything wrong?

One more question, how can I allow the traffic to be balanced equally b/ the 2 firewall units? I understand that this is a matter of routing, but any idea on how can this be achieved?

Thanks alot,

Haitham

hi,

I think the failover is configured fine. You should understand that the SYNC process happens from ACTIVE to STANDBY (not from primary to secondary)

configs are always synced up from ACTIVE to STANDBY

As far as load balancing is concerned, all you can do is bring your firewall in multi context mode (2 context) and get the license for active/active

context 1 will be active on one firewall, while context 2 will be active on the other firewall.

but there are addressing things you need to take care of.

It is not routing matter for load balancing.

See this link

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/config/failover.htm#wp1096075

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/config/failover.htm#wp1046980

thanks

Nadeem

Excellent, this makes sense to me that config replication happens from Active to Standby and not from Primary to Secondary. But regarding Load Balancing, the reason why I'm asking this question is because my understanding that the PIX doesnt use a Virtual or a shared IP for its redundant interfaces (e.g. the ip addresse of the outside interface will be different on each FW and there's no shared IP b/ them)... this is for example different from the way how Netscreen is doing it by using the same Physical interfaces for the identical interfaces on the 2 FW units, which causes traffic to be balanced automatically between the 2 Active-Active units.

My design architecture is like this:

Router--->Switch1--->PIX1,PIX2----XSwitch2,Switch3

Each PIX is connected via redundant connections to Switches 2 & 3 to achieve full redundancy. Now due to the fact the ip address of the outside interface on each PIX is different which is the case for the internal interfaces as well, when traffic comes from the router to inside, Switch1 will see 2 different IP addresses for the 2 PIX firewalls, so how will the PIX take from there and load balance the traffic? Assume the addresses of the outside interfaces on each PIX as follows: 192.168.1.1 & 192.168.1.2

Thanks again,

Haitham

yes that is right, PIX doesnt load balance like netscreen. there is no capability of virtual address at the moment. this type of load balancing will not work.

All you can do is use the pix pair in failover mode, have two contexts in each pix, each context will be active on one of the pix.

basically the idea is to have two separate firewalls serving two different subnets etc.

this way you can achive load balancing.

Thanks Nadeem,

Any suggestions to work around this by deploying a load banalancer device that can create a VIP in such a scenario?

Rgrds,

Haitham

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: