Re: do i need this 3rd routing interface?

m.matteson · ‎10-20-2005

I'm reading about active/active failover for a pix and assymetrical routing. here's what it says.

When running in Active/Active failover, a unit may receive a return packet for a connection that originated through its peer unit. Because the security appliance that receives the packet does not have any connection information for the packet, the packet is dropped. This most commonly occurs when the two security appliances in an Active/Active failover pair are connected to different service providers and the outbound connection does not use a NAT address.

heres the diag.

http://www.cisco.com/univercd/illus/1/84/132184.jpg

heres the paper.

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a008045247e.html#wp1068123

i noticed the path it took was through another interface added to the pix to connect it to the same switch. what if my pix only has 3 ints? outside,inside and the stateful failover cable but both insides for each pix are on the same switch and both outsides of the pix are on another but the same switch. would the pix route the packets back out the interface it recieved it on.

what i mean is:

a packet comes in pix b outside int. but the connection status is on pix a. so it is going to route the packet over to pix b. does it route the packet back out the inside interface? hmm i remember something about split horizon. won't send packet out on int. it was recieved on? btw i will be using OSPF for loadbalancing between both pixs and the two routers.

bottom line, do i need that other interface?

thanks for helping me figure this out.

smalkeric · ‎10-26-2005

What is the Pix version u have and what are the router models? Along with this info, check out the packet transfer using debug messages and check whether the load balancing is occuring in a proper way.This may provide u an answer regarding the necessity of third interface.