cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

432
Views
2
Helpful
7
Replies

Configuration replication in PIX firewall

  Hi,

Yes i know that PIX is EOL but i would like to ask query on the working of this firewall, which i am expecting to be the same in ASA as well. Configuration replication happens often in pix firewall will this happen from primary to secondary or Active device to standby device.

7 REPLIES 7
Jouni Forss
Mentor

Hi,

The Active device replicates the configuration to the Standby if you make configurations. The command "write standby" should also copy the whole configuration of Active to the Standby device. The command "write mem" should be enough though.

So whichever device is Active replicates the configuration to the Standby unit at that time.

Do notice that if you happen to make configurations on the Standby unit they wont be replicated to the Active unit. The Standby PIX should also warn you if you try to configure it.

- Jouni

HI Jouni,

Thanks for your quick reply, could you specify the configuration that you are talking about in specific because what i have observed lately is the replication has happened from primary unit to secondary unit.

Hi,

Command should only be replicated from Active to Standby.

You might have "failover" configurations that state "primary" and "secondary" this on the other hand doesnt tell which is Active/Standby

Your Failover starting situation might be that the PIX configured as "primary" might start out as Active. If it for example loses power and reboots the "secondary" PIX that was Standby would be changed to Active state.

Now, even if the "primary" PIX boots back up, it WONT take the Active role until the current Active PIX fails or you manually change the "primary" back to Active.

So in the above sense, if your "primary" PIX has failed and "secondary" has changed to Active role it would be replicating configurations to the "primary" unit. And this would be normal.

With Regards the configurations you are asking.

I'm not talking about the any certain configurations. I'm talking about configurations in General. They are always replicated from Active to Standby. If you configure Standby unit it will accept the configurations but they are NOT sent to the Active unit.

Then again if your above Standby PIX that has new configurations changes to Active, it might replicate those changed configurations to the new Standby unit.

Hopefully the above made some sense.

Please rate if the information has been helpfull and/or ask more questions

- Jouni

Hi,

Indeed what i was trying to say is i had cluster firewall in which the Active device which is connected to primary end of  failover cable went faulty and hence we tried replacing it. Before the start of activity what i assumed is that the running configuration will be replicated to the device which i am going to connec to the network to the primary end of the cable but what happned was vice versa. Replication happened from the device newly added device and yes it was in standby mode till i tried to make it Active by reducing the number of up in the other device.

Hi,

If your situation was that Primary firewall had failed and Secondary was Active and you then replaced the Primary only to find out that the blank (?) new Primary PIX replicated its configuration to the current Active unit....THEN I would have to say that it doesnt follow the logic of the current or 8.2 ASAs atleast.

I just had an customer which had its Primary firewall break down due to problems with the PSU. I got the replacement device and configured it only with Failover configurations. Attached it to the network with the Active Secondary ASA unit and the now connected fresh Primary unit got the configurations from the Active Secondary ASA. So the newly added ASA DIDNT replicate its configurations to the already Active ASA.

Only thing I can guess at this point is that there is some difference in the operation of the Failover. Perhaps regarding the software? Would have to check it myself to make sure. I have not had this problem myself.

- Jouni

Hi,

Thank you for sharing your ASA experience atleast i had some confirmation on working of ASA. And also i observed an other thing. When i was trying to power off and On the standby device (connected to secondary end of cable). I actually lost connectivity to wards all the segment connected. to firewall. Can you through some light on this behaviour.

Raj.

Hi,

I quickly searched for a PIX specific Failover document and it states the following

Replicate the PIX Configuration

The two units must have the exact same configuration and must run the       same software version. This is easily accomplished, since configuration       replication occurs over the failover cable, or from the LAN interface       configured with failover lan interface interface_name command, from the active unit to the standby unit in these       ways:

  • When the standby unit completes its initial boot-up, the active unit           replicates its entire configuration to the standby unit. This occurs if you use           a failover cable because you need the initial configuration on both the primary           and secondary units in order to identify them as primary and secondary units.           This feature has been introduced to overcome the serial cable length and speed.

  • As commands are entered on the active unit, they are sent across to           the standby unit.

  • When you enter the write standby command           on the active unit, you force the entire configuration to memory on the standby           unit.

The configuration replication does a "memory-to-memory" copy. Once this       completes, you need to issue a write memory command       on the active unit in order to write the configuration into the Flash memory of       the standby unit. Both "sync started" and "sync completed" console messages are       displayed during this operation. Large configurations can take awhile to       transfer. If a switchover occurs during replication, the new active PIX has       only a partial configuration. The unit then reboots itself to recover the       configuration from the Flash or re-sync by the other unit.

The configuration replication only occurs from the active unit to the       standby unit. Changes made to the standby unit do not pass to the active unit.

Fail Back

Whenever a failure or switch occurs, syslog messages are generated that       indicate what happened. Fail back to the primary unit is not forced. Fail back       is not a forced activity as there is no reason to switch active and standby       roles. Therefore, when a failed primary unit is fixed and brought back on line,       it does not automatically resume as the active unit. In order to force a unit       to be the active unit, use the failover active command on the standby unit or the no failover       active command on the active unit. If       Stateful Failover is used, then       connection state information passes from the active unit to the standby unit.       Otherwise, the state information is not tracked and sessions must be       reestablished by applications. This means all active connections drop after a       switchover. Because the newly active unit assumes the same IP and MAC address       as the previously active unit, no ARP entries need to change or timeout       anywhere in the network.

Quickly reading through it I can't see anything there that would conflict what I have mentioned with  the operation of Failover and the configuration replication.

Whole document can be found at

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094ea7.shtml#intro

- Jouni

Create
Recognize Your Peers
Content for Community-Ad