Solved: PIX stateful failover and external circuits

hws_admin · ‎02-14-2007

Using a pair of PIX firewalls, OS ver 7.2, in a failover setup.

The outside interfaces of the two PIXes are connected to provider on two separate circuits.

Provider claims that in such a configuration, stateful failover does not work, and we need to hook up a switch (or a couple switches) between the pair of PIXes and the two circuits.

Somehow that doesn't ring true to me. I thought stateful failover has nothing to do with the way the outside interfaces are hooked up.

Which way is it?

Can somebody point me to a document that supports either one version or the other?

vitripat · ‎02-14-2007

For how the firewalls should be connected:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/failover.htm#wp1053462

How to configure Failover in 7.2 code:

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/conf_gd/general/failover.htm#wp1002608

View solution in original post

vitripat · ‎02-14-2007

For how the firewalls should be connected:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/failover.htm#wp1053462

How to configure Failover in 7.2 code:

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/conf_gd/general/failover.htm#wp1002608

mrinmoy.m · ‎02-19-2007

Hi Dude...

Are you running the Firewall in multiple context mode. What failover you have configured - Active/Active or Active/Standby?

In this scenario the Firewalls are getting seperate updates from diff. devices and routing of the packet will also be different. U cant have diff configuration on two firewalls operating in failover mode.

Am not sure whether you get such scenario.

Regards

mrinmoy