Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
920
Views
0
Helpful
6
Replies

Can firewall be configured to detect link failure ?

vipin.radhakrishnan
Level 1
Level 1

‎11-18-2001 11:17 PM - edited ‎03-08-2019 09:12 PM

Can i configure my PIX to detect a link failure (example :if my outside link fails or my insdie link fails, can i configure my PIX to detect this change and act accordingly ?

Labels:
0 Helpful
6 Replies 6

mike
Level 1
Level 1

‎11-19-2001 12:12 AM

No,

The PIX doesn't do anything like that.

mike kantowski

ccnp

0 Helpful

bdube
Level 2
Level 2

‎11-19-2001 11:37 AM

Link failure can be detected by routers, not the PIX firewall. And the failure will be advertised with routing protocols. The PIX support RIP routing protocol for the default route only.

0 Helpful

vipin.radhakrishnan
Level 1
Level 1
In response to bdube

‎11-19-2001 09:19 PM

I completely agree with that, but the PIX does a link failure detection if it is configured and connected for failover, this is done by doin a ping test on all its interfaces .My next question is , can i configure the PIX in such a way that only when a specific (for example , the inside) fails , then only i want the PIX to detect this and do failover .

Can this be done?

Is it possibel by not giving a failover ip address for some of the interfaces, but then when failover happens ,this interface of the stanby cannot be used.so is there anyway this selective failover can be achieved?

This is only for knowledge purpose , but all inputs are welcome!

0 Helpful

jose.calvillo
Level 1
Level 1
In response to vipin.radhakrishnan

‎11-20-2001 07:59 AM

Tossing in my limited .02 cents here stricly for knowledge purposes also. The PIX does do link failure detection by default when failover is installed. The PIX will not do a "selective" failover (us the primary's outside interface & the secondary's inside interface). I might add that this is a good thing that it doesn't. Think of the latency issues this would cause.

The PIX backplane can handle in excess of 500MB of traffic, each interface (PIX-520) can handle 100MB of traffic so no problem pushing full pipe from inside to outside. If however the Primary used the secondary's inside interface, the only "secure" way for them to communicate would be via the failover cable. The failover cable is nothing more then a serial connection limited to 115,200Kbps. Completely inadequate for network traffic.

If I missed something, please post it.

0 Helpful

mike
Level 1
Level 1
In response to jose.calvillo

‎11-20-2001 04:28 PM

I completely agree. The PIX failover concept is that the two units are really one. If any part of the primary PIX goes bad, the whole unit is considered bad, and the secondary takes over all operation from the primary. At that point, the failed primary will sit and collect dust. At no time will both units pass network traffic at the same time.

Anytime you have a pair of PIXes in failover config, you must view the pair as one logical unit.

mike kantowski

ccnp

0 Helpful

vipin.radhakrishnan
Level 1
Level 1
In response to mike

‎11-20-2001 10:18 PM

Thanx for ur response, i just wanted to know wether there was anyway of doin this, but i guess it a NO!

as for the consideration as a logical single unit, yeah i think all the setups in a network for redundancy , like HSRP, VRRP and PIX failover etc, shld be viewed as one unit , which makes it easy for the human mind :-),

0 Helpful
Customers Also Viewed These Support Documents