Re: Pix Transparent mode: standby unit

matt.walls · ‎04-15-2010

I have a failover pair that are running in transparent mode. the problem that we are experiencing is that the upstream router (connected to the outside interfaces) are selecting the mac of inside interface. this causes communication, as we use ssh to monitor the health of the standby unit by ssh'ing into it.

Jennifer Halim · ‎04-16-2010

Not sure how the router is getting the mac address of the inside.

How is your router connected to the PIX outside interface? ie: can you double check that it is connected to the switchport that has been assigned the same vlan as the PIX outside interface? If you "clear arp" on the router, does it dynamically learn the inside mac address of the PIX? Are you connecting the PIX inside and outside interfaces to the same switch? Can you also confirm if there is no SVI configured at all for the PIX inside vlan.

matt.walls · ‎04-16-2010

I was told by tac that this is normal behavior of firewall. it just takes random interface mac for the management ip.

and that this is also normal, because customers are only interested in managing active firewall... not activly managing standby firewall.

this is not the case for us, as we monitor the health of both firewalls.

so, trying to get creative to solve this issue...

Jennifer Halim · ‎04-16-2010

I don't think the statement "it just takes random interface mac for the management ip" is correct at all.

You are hitting this bugID: CSCsh33290:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsh33290