I'm aware that the PIX does not provide load balancing functionalty at the moment - that's coming in version 7 apparently.
However, my query is this:
Instead of using a failover pair, has anyone implemented the use of two PIX running OSPF in order to load balance outbound traffic? I see no reason why this shouldn't work provided the interfaces on the inside of the PIX's are connected to router/s with different VLSM subnets
Any comments please?
Agree with you. OSPF should also allow you to have two separate routers out in front of it participating in OSPF, giving the PIX two equal cost routes.. Interesting theory. I shall try that in my lab....
Unfortunately, I only have one PIX to play with, so I can't test your theory of having dual PIX's. The only problem with that scenario is that you have to have a router on the inside that all the clients/users point to for their default gateway...
Well, my experiment worked...two outside routers, both advertising default, two equal cost routes out of the PIX
O*E2 0.0.0.0 0.0.0.0 [110/1] via 10.2.2.1, 0:01:59, outside
[110/1] via 10.2.2.3, 0:01:59, outside
I am trying to implement this right now. Running into a few problems. I've been finding that if traffic flows out one pix, then subsequent packets of the same flow exits the other pix it breaks. I'm pretty sure it's because of ASA not allowing a previously built connection from one pix to go out another. This is just theory.
The way I have implemented it so far is by redistributing static (the default route) into ospf. I have a 2651 router in front of the two pixs, and it's routing table shows the two default routes of equal routes.
I've noticed though that the router is just choosing one default gateway and sticking to it for most of the time.
So here comes my current problem: If I try to modify the costs of the default routes to favour one default route over the other, nothing changes as far as the administrative distances on the 2651.