Hsrp Problem with PIX

mbserrano · ‎10-05-2004

Hello all!

Attached is the network setup Im working on.

The PIX515E are on a Failover setup using a failover cable.

The PIX config to route inside is go through the HSRP address of the routers- Can this be possible? I mean can the router interfaces connecting to the PIX negotiate HSRP when they are not connected through a single switch? How do I do this?

Thanks

Marlon

tmoreo · ‎10-05-2004

To answer the question, Yes. "IF" the primary PIX is active and the .1 router was the primary on the internal interface. My best guess is that HSRP would act as if the other HSRP interface is unavailable because it cannot see it and would respond.

But beyond that, I have to ask what you are trying to accomplish? There may be another method of doing what you want.

Also on a side note; I find a best practice to have a virtual address that does not exist such as .3 in your case. Or use .1 as virtual .2 and .3 as the interfaces.

mbserrano · ‎10-05-2004

Thank you for the initial reply. BTW, the virtual addresses are .3 just a typo.

What im trying to accomplish is a seemless failover in any case any of the firewall or the router goes down.

To do this, I think for the Firewall Failover to work, the HSRP should be running fine so i can do a route inside command pointing to the virtual ip address(standby ip) of the router but when I issue the command "sh tandby" on my router, it does not know what router is on standby- could it be that they are not connected on a single switch? remember that the secondary pix in normal conditions is practically down(interfaces)

Also, Im using eigrp for my routing protocol.

Thanks again

a.awan · ‎10-05-2004

You need layer 2 switch(es) between the routers and the firewalls. First of all HSRP will not work through the failover firewall pair. Secondly the firewall inside interfaces will not be able to exchange heartbeats over the inside ethernet interface as the layer 2 domain terminates on each router.

If you need full redundancy on the inside of your network then you need a pair of L2 switches connected together via a Etherchannel. The primary firewall and one router will connect to one switch while the failover firewall and the second router will connect to the other switch.

tmoreo · ‎10-05-2004

One thing you can do is turn on OSPF on the inside of the PIX and on the 1.x side of the routers and redistribute into EIGRP. (note there are a few gotchas when redistributing into two paths) In this case you won't need a static route pointing inside and if a router fails it will automatically reroute. Also I would put these interfaces into a switch and not direct.

I do not know your entire network, however I am guessing there is more then just the .PDF.

I have to ask what the routers are for. It might serve you if you can take them out. If you cannot because of design considerations, you can do the routing protocol thing or you should be good to go if you put a switch between the PIX and routers and maintain your static routes.

In the first scenario the routing protocol will detect any router failure and the PIX's will simply failover if the active one fails.

In the second scenario if the primary HSRP router goes down the second will automatically pick up and if a PIX fails it will automatically failover.

As for the HSRP generally the two interfaces need to speak with each other. Also what does the HSRP config look like.

verify the group ID is the same for each group.

For instance

standby 2 preempt

standby 2 ip 171.16.6.200

standby 2 priority 95

In this instance they are all group 2

If there is no number it is group 1 by default.

standby preempt

standby ip 171.16.6.200

standby priority 95

Verify that each router has two diferent group ID's or that can give you false standby readings. While both interface are on separate subnets they might have the same HSRP ID adding to the issue.

tmoreo · ‎10-05-2004