09-08-2003 08:08 AM - edited 02-20-2020 10:58 PM
Does the failover bundle one gets for PIX firewall has support for rip active stand by ??
09-08-2003 12:08 PM
I am not 100% sure what you mean by "rip active stand by" but the standby PIX in a failover pair will not participate in the RIP network until a failover occurs and it becomes the active mate in the pair. The standby PIX is limited in the kinds of packets it listens for (failover, ICMP, etc...). This is something we are aware of and are looking to address. This has become more appearant with OSPF but I suspect the "fix" will work with RIP as well.
Scott
09-09-2003 10:53 AM
hey Scott, With reference to your website , the secondary gets identical configuration as the primary, the case being such , how can the standby PIX is limited in the kind of packets it picks up?. Are u trying to say that inspite of OSPF configuration the standby PIX fails to pick up OSPF hello packets and that there's a "fix" for that ?. Can u please throw some more light on that. thanks
09-09-2003 11:23 AM
Essentially, the stand-by PIX drops the OSPF hello packets that are sent to it. When the PIX is in a stand-by mode, only a limited amount (or type) of traffic is accpeted (telnet, icmp, failover messages, etc..). There currently is no fix for this but we are aware of this as a problem. For instance, for management purposes, let's say you need to get to the stand-by PIX from a host that is several hops away. Since you configured OSPF on your primary, all static routes have most likely been removed on both the primary and subsequently the stand-by as well. Because the stand-by does not participate in the OSPF network, he does not have any routes to these remote networks so telnet, SSH, ICMP, etc... will fail. We are evaluating several ideas now to address this limitation.
Does this help.
Scott
09-09-2003 01:43 PM
Thanks scott, I never knew that standby drops hello packets...however i wonder when the standby becomes active ( assuming that ospf is pre-configured) it should form an adjacency with it's peer right ? I totally understand the point you are making in terms of traffic allowed across standby ....when the same is in standby mode ...however i wanted to know what happens to standby when it becomes active especially if it's a stateful failover ...and say there was an FTP download while the primary fails ....how long will it take for the standby to relearn the routes and restore the FTP connection to complete the downlaod.
09-09-2003 01:55 PM
Yes, yet another example of why we need to figure out a way for the stand-by PIX to learn the OSPF routes before a failover occurs. Unfortunately, this is not a trivial task and is why we are looking at several options. When a failover occurs, the whole OSPF process needs to be kicked off again (remember, the IP address changed on the stend-by PIX) to elect the DR, BDR, exchange LSA's, etc... Depending on the size of your network, this process could take upwards of a minute or so. During this delay, your time sensitive sessions could be RST. But in most cases, the TCP protocol is robust enough to continue the connections once the routes are re-established. If doing stateful failover, the connections are maintained (as you undoubtedly know) after a failover.
Again, not the most elegant solution but we are aware of this and are trying to find a way to address it.
Scott
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide