cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
550
Views
0
Helpful
3
Replies

what should be the ip add of the failover interface of the secondary pix

sebastan_bach
Level 4
Level 4

what should be the ip address of the failover interface of the secondary pix . this is a lan based failover. the ip address of failover interface of the primary pix is 10.1.1.1/24 and failover ip address is 10.1.1.2.

what should be the ip address of the failover interface of the standy pix and the failover ip address.

in some examples i have seen the ip address of the failover interface of the standy pix in respect to this example is 10.1.1.1 and the failover ip address id 10.1.1.2/. i am confused. the book sayd the ip address of the failover interfaces should always be different but in the same subnet.

pls clear my doubt over this. thank u in advance.

sebastan

3 Replies 3

turnbull
Level 1
Level 1

Hi Sebastan,

There's a little gotcha with lan based failover. Unlike serial based failover where the secondary pix doesn't require any configuration to be sync'd with the primary and has the config pushed to it, lan based requires at least a minimal communication between the devices to perfom the sync. Although it doesn't feel right to put two devices on the network with the same ip address, this is how lan based failover works.

The physical interfaces are configured with the same ip address and the failover sync process takes care of sorting it out.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094ea7.shtml#lanbasedfailover

Cheers,

Paul

hi buddy . ok yeah i got it. means we haev to configure same ip address of both the failover interface. here i am trying to explain what i understood from ur explaination.

the failover ip address command in the active pix is actually the assigned ip address to the failover interface of the standy pix am i right. during failover the active pix will take over this ip address .after failover when the standy pix becomes active it will have same config as active pix. by having active pix address as it's address on the failover interface. am i right. is the the way it works. pls correct me if i am wrong.

i would like to know one more thing in the examples link that u have posted. thay have also configured stateful failover along with lan-based failover over a another interface. what is the benefit of having both of them configured over seperate interfaces.

we can even have them both configured over the same interface.

can u pls explain me that part. thank u once again and waiting for ur reply.

sebastan

Hi Sebastan,

The way it works is:

At boot, the Secondary PIX only requires the minimum configuration to communicate with the Primary. As the secondary comes on line, it sends failover hello packets, the two communicate and then sync. After synchronising, the two PIX have exactly the same configurations but failover assigns the appropriate ip addresses to each units interfaces according to whether it is active or standby. The thing is to separate primary/secondary from active/standby. One unit is always primary and the other secondary and it never changes. Either one can be active or standby and depending on its state its interfaces will assume the ip address and mac address associated with that state. When the primary is active it will use the ip addresses and mac addresses originally supplied before failover configured. The secondary will assume the failover ip addresses and associate its mac addresses with them (standby). When failover happens, the units swap the ip and mac addresses on their interfaces and send a spurious arp out to clear the attached switches mac tables. As far as any host communicating with them is concerned, it is the same pix even though the packets are now going to a different physical unit.

Cisco recommends that the stateful link be a dedicated one due to the real time nature of the information being passed across it but you are correct, it can be configured over the fo interface if the pix is not overloaded. Just depends on how heavily utilised the link is and if you are willing to take the chance.

Cheers,

Paul.

Review Cisco Networking for a $25 gift card