Re: PIX failover problem [7:56199]
Hi Vamsi, If you are using a cross over cable for state ful failover, make sure the interface speeds and duplex are matched on both PIXs. Do not leave them to autonegotiate. Such conditions usually occur, when the secondary unit is unable to detect the primary unit and therefore assumes itself to be active. You can check it by show failover command. Make sure that both PIX can see each other. regards, Nadeem. Vamsi Krishna wrote in message news:200210251610.QAA06470;groupstudy.com... Hi Mike, Have you tried rebooting the Secondary PIX and check if the primary is active and after the rebooted pix comesup ? What is OS version of your PIX ? Vamsi - Original Message - From: mike Dang To: Sent: Friday, October 25, 2002 1:02 PM Subject: Re: PIX failover problem [7:56199] Vamsi, I used the cable provided by Cisco to connect 2 525s through the failover ports and it's been working fine. Even though I don't know the answer but I don't think it's a good idea to connect 2 pixes through a switch. Good luck. Vamsi Krishna wrote:Hi Pat, I have got the correct configuration as mentioned in Cisco. I too think the primary PIX fails as the failover link goes into failed state as the secondary is down and secondary PIX will become active as the primary is in failed state. Has anyone faced this problem ? What is the normal practice of connecting PIX in failover configuration ? through cross over cable or through a separate switch ? Pls reply. Regards, Vamsi - Original Message - From: Patrick Donlon To: Sent: Thursday, October 24, 2002 4:11 PM Subject: Re: PIX failover problem [7:56199] I think you've got your config correct, when any of the interfaces go down on the active PIX it will switch into standby. So when you reboot the standby it will cause this to happen, the documentation does say you should use a separate switch for the failover NICs which should prevent this, http://www.cisco.com/warp/customer/110/failover.html . Do you use a failover cable as well, I would have thought the primary would prevent the failover but I'm not 100 percent sure. Cheers Pat Vamsi Krishna wrote in message news:200210241235.MAA05012;groupstudy.com... Hi, We are facing a strange problem with PIX failover. We have two PIX = 525 (OS 6.0.1) in failover configuration. When the standby PIX is = rebooted for maintenance reasons, it came up and became the Active PIX = (which should not happen). The active PIX showed stateful failover link = failed and so the PIX was in failed state. Both the PIX are connected = through a stateful failover link (100Mbps) using a Crossover cable.=20 Is it a problem because both the PIX are connected using a crossover = cable? Is it recommended to connect through a switch? Has anyone faced a = similar problem? Regards, Vamsi **Disclaimer Information contained in this E-MAIL being proprietary to Wipro Limited is 'privileged' and 'confidential' and intended for use only by the individual or entity to which it is addressed. You are notified that any use, copying or dissemination of the information contained in the E-MAIL in any manner whatsoever is strictly prohibited. *** **Disclaimer Information contained in this E-MAIL being proprietary to Wipro Limited is 'privileged' and 'confidential' and intended for use only by the individual or entity to which it is addressed. You are notified that any use, copying or dissemination of the information contained in the E-MAIL in any manner whatsoever is strictly prohibited. *** Do you Yahoo!? Y! Web Hosting - Let the expert host your web site **Disclaimer Information contained in this E-MAIL being proprietary to Wipro Limited is 'privileged' and 'confidential' and intended for use only by the individual or entity to which it is addressed. You are notified that any use, copying or dissemination of the information contained in the E-MAIL in any manner whatsoever is strictly prohibited. *** Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=56504t=56199 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX failover problem [7:56199]
Vamsi, I used the cable provided by Cisco to connect 2 525s through the failover ports and it's been working fine. Even though I don't know the answer but I don't think it's a good idea to connect 2 pixes through a switch. Good luck. Vamsi Krishna wrote:Hi Pat, I have got the correct configuration as mentioned in Cisco. I too think the primary PIX fails as the failover link goes into failed state as the secondary is down and secondary PIX will become active as the primary is in failed state. Has anyone faced this problem ? What is the normal practice of connecting PIX in failover configuration ? through cross over cable or through a separate switch ? Pls reply. Regards, Vamsi - Original Message - From: Patrick Donlon To: Sent: Thursday, October 24, 2002 4:11 PM Subject: Re: PIX failover problem [7:56199] I think you've got your config correct, when any of the interfaces go down on the active PIX it will switch into standby. So when you reboot the standby it will cause this to happen, the documentation does say you should use a separate switch for the failover NICs which should prevent this, http://www.cisco.com/warp/customer/110/failover.html . Do you use a failover cable as well, I would have thought the primary would prevent the failover but I'm not 100 percent sure. Cheers Pat Vamsi Krishna wrote in message news:200210241235.MAA05012;groupstudy.com... Hi, We are facing a strange problem with PIX failover. We have two PIX = 525 (OS 6.0.1) in failover configuration. When the standby PIX is = rebooted for maintenance reasons, it came up and became the Active PIX = (which should not happen). The active PIX showed stateful failover link = failed and so the PIX was in failed state. Both the PIX are connected = through a stateful failover link (100Mbps) using a Crossover cable.=20 Is it a problem because both the PIX are connected using a crossover = cable? Is it recommended to connect through a switch? Has anyone faced a = similar problem? Regards, Vamsi **Disclaimer Information contained in this E-MAIL being proprietary to Wipro Limited is 'privileged' and 'confidential' and intended for use only by the individual or entity to which it is addressed. You are notified that any use, copying or dissemination of the information contained in the E-MAIL in any manner whatsoever is strictly prohibited. *** **Disclaimer Information contained in this E-MAIL being proprietary to Wipro Limited is 'privileged' and 'confidential' and intended for use only by the individual or entity to which it is addressed. You are notified that any use, copying or dissemination of the information contained in the E-MAIL in any manner whatsoever is strictly prohibited. *** Do you Yahoo!? Y! Web Hosting - Let the expert host your web site Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=56274t=56199 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX failover problem [7:56199]
Hi Mike, Have you tried rebooting the Secondary PIX and check if the primary is active and after the rebooted pix comesup ? What is OS version of your PIX ? Vamsi - Original Message - From: mike Dang To: Sent: Friday, October 25, 2002 1:02 PM Subject: Re: PIX failover problem [7:56199] Vamsi, I used the cable provided by Cisco to connect 2 525s through the failover ports and it's been working fine. Even though I don't know the answer but I don't think it's a good idea to connect 2 pixes through a switch. Good luck. Vamsi Krishna wrote:Hi Pat, I have got the correct configuration as mentioned in Cisco. I too think the primary PIX fails as the failover link goes into failed state as the secondary is down and secondary PIX will become active as the primary is in failed state. Has anyone faced this problem ? What is the normal practice of connecting PIX in failover configuration ? through cross over cable or through a separate switch ? Pls reply. Regards, Vamsi - Original Message - From: Patrick Donlon To: Sent: Thursday, October 24, 2002 4:11 PM Subject: Re: PIX failover problem [7:56199] I think you've got your config correct, when any of the interfaces go down on the active PIX it will switch into standby. So when you reboot the standby it will cause this to happen, the documentation does say you should use a separate switch for the failover NICs which should prevent this, http://www.cisco.com/warp/customer/110/failover.html . Do you use a failover cable as well, I would have thought the primary would prevent the failover but I'm not 100 percent sure. Cheers Pat Vamsi Krishna wrote in message news:200210241235.MAA05012;groupstudy.com... Hi, We are facing a strange problem with PIX failover. We have two PIX = 525 (OS 6.0.1) in failover configuration. When the standby PIX is = rebooted for maintenance reasons, it came up and became the Active PIX = (which should not happen). The active PIX showed stateful failover link = failed and so the PIX was in failed state. Both the PIX are connected = through a stateful failover link (100Mbps) using a Crossover cable.=20 Is it a problem because both the PIX are connected using a crossover = cable? Is it recommended to connect through a switch? Has anyone faced a = similar problem? Regards, Vamsi **Disclaimer Information contained in this E-MAIL being proprietary to Wipro Limited is 'privileged' and 'confidential' and intended for use only by the individual or entity to which it is addressed. You are notified that any use, copying or dissemination of the information contained in the E-MAIL in any manner whatsoever is strictly prohibited. *** **Disclaimer Information contained in this E-MAIL being proprietary to Wipro Limited is 'privileged' and 'confidential' and intended for use only by the individual or entity to which it is addressed. You are notified that any use, copying or dissemination of the information contained in the E-MAIL in any manner whatsoever is strictly prohibited. *** Do you Yahoo!? Y! Web Hosting - Let the expert host your web site **Disclaimer Information contained in this E-MAIL being proprietary to Wipro Limited is 'privileged' and 'confidential' and intended for use only by the individual or entity to which it is addressed. You are notified that any use, copying or dissemination of the information contained in the E-MAIL in any manner whatsoever is strictly prohibited. *** Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=56287t=56199 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX failover problem [7:56199]
Hi, We are facing a strange problem with PIX failover. We have two PIX = 525 (OS 6.0.1) in failover configuration. When the standby PIX is = rebooted for maintenance reasons, it came up and became the Active PIX = (which should not happen). The active PIX showed stateful failover link = failed and so the PIX was in failed state. Both the PIX are connected = through a stateful failover link (100Mbps) using a Crossover cable.=20 Is it a problem because both the PIX are connected using a crossover = cable? Is it recommended to connect through a switch? Has anyone faced a = similar problem? Regards, Vamsi **Disclaimer Information contained in this E-MAIL being proprietary to Wipro Limited is 'privileged' and 'confidential' and intended for use only by the individual or entity to which it is addressed. You are notified that any use, copying or dissemination of the information contained in the E-MAIL in any manner whatsoever is strictly prohibited. *** Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=56199t=56199 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX failover problem [7:56199]
I think you've got your config correct, when any of the interfaces go down on the active PIX it will switch into standby. So when you reboot the standby it will cause this to happen, the documentation does say you should use a separate switch for the failover NICs which should prevent this, http://www.cisco.com/warp/customer/110/failover.html . Do you use a failover cable as well, I would have thought the primary would prevent the failover but I'm not 100 percent sure. Cheers Pat Vamsi Krishna wrote in message news:200210241235.MAA05012;groupstudy.com... Hi, We are facing a strange problem with PIX failover. We have two PIX = 525 (OS 6.0.1) in failover configuration. When the standby PIX is = rebooted for maintenance reasons, it came up and became the Active PIX = (which should not happen). The active PIX showed stateful failover link = failed and so the PIX was in failed state. Both the PIX are connected = through a stateful failover link (100Mbps) using a Crossover cable.=20 Is it a problem because both the PIX are connected using a crossover = cable? Is it recommended to connect through a switch? Has anyone faced a = similar problem? Regards, Vamsi **Disclaimer Information contained in this E-MAIL being proprietary to Wipro Limited is 'privileged' and 'confidential' and intended for use only by the individual or entity to which it is addressed. You are notified that any use, copying or dissemination of the information contained in the E-MAIL in any manner whatsoever is strictly prohibited. *** Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=56216t=56199 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX failover problem [7:56199]
Hi Pat, I have got the correct configuration as mentioned in Cisco. I too think the primary PIX fails as the failover link goes into failed state as the secondary is down and secondary PIX will become active as the primary is in failed state. Has anyone faced this problem ? What is the normal practice of connecting PIX in failover configuration ? through cross over cable or through a separate switch ? Pls reply. Regards, Vamsi - Original Message - From: Patrick Donlon To: Sent: Thursday, October 24, 2002 4:11 PM Subject: Re: PIX failover problem [7:56199] I think you've got your config correct, when any of the interfaces go down on the active PIX it will switch into standby. So when you reboot the standby it will cause this to happen, the documentation does say you should use a separate switch for the failover NICs which should prevent this, http://www.cisco.com/warp/customer/110/failover.html . Do you use a failover cable as well, I would have thought the primary would prevent the failover but I'm not 100 percent sure. Cheers Pat Vamsi Krishna wrote in message news:200210241235.MAA05012;groupstudy.com... Hi, We are facing a strange problem with PIX failover. We have two PIX = 525 (OS 6.0.1) in failover configuration. When the standby PIX is = rebooted for maintenance reasons, it came up and became the Active PIX = (which should not happen). The active PIX showed stateful failover link = failed and so the PIX was in failed state. Both the PIX are connected = through a stateful failover link (100Mbps) using a Crossover cable.=20 Is it a problem because both the PIX are connected using a crossover = cable? Is it recommended to connect through a switch? Has anyone faced a = similar problem? Regards, Vamsi **Disclaimer Information contained in this E-MAIL being proprietary to Wipro Limited is 'privileged' and 'confidential' and intended for use only by the individual or entity to which it is addressed. You are notified that any use, copying or dissemination of the information contained in the E-MAIL in any manner whatsoever is strictly prohibited. *** **Disclaimer Information contained in this E-MAIL being proprietary to Wipro Limited is 'privileged' and 'confidential' and intended for use only by the individual or entity to which it is addressed. You are notified that any use, copying or dissemination of the information contained in the E-MAIL in any manner whatsoever is strictly prohibited. *** Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=56219t=56199 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX Failover [7:51491]
In article , [EMAIL PROTECTED] says... Hi, In a Stataful configuration, and two PIX are interconnected via a dedicated Failover Fastethernet, in case of the Active unit's Internal interface fails, is there any method to shift traffic to the Standby unit's Internal interface to maintain connectivity, thanks. Leo Best Regards. Not sure what you mean there. That's what failover does unless I'm misunderstanding your question. You configure the main IP address for the interface and you configure a failover address. If the Pix's decide that the active one has a problem (power,interface down etc) the secondary pix takes over the main IP address. If the primary is still contactable it will have the failover IP address on its inside interface. That's why it's safe to telnet to the main IP address and you know that you're on the active Pix, but by console you need to do a show fail to make sure the device you're on is primary active or secondary active before you make changes. Regards, Gaz Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=51497t=51491 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX Failover [7:51491]
Speaking of stateful PIX's, if I make a change on 1 PIX, and it has failover on, will it automatically make a change on the other PIX? Gaz wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... In article , [EMAIL PROTECTED] says... Hi, In a Stataful configuration, and two PIX are interconnected via a dedicated Failover Fastethernet, in case of the Active unit's Internal interface fails, is there any method to shift traffic to the Standby unit's Internal interface to maintain connectivity, thanks. Leo Best Regards. Not sure what you mean there. That's what failover does unless I'm misunderstanding your question. You configure the main IP address for the interface and you configure a failover address. If the Pix's decide that the active one has a problem (power,interface down etc) the secondary pix takes over the main IP address. If the primary is still contactable it will have the failover IP address on its inside interface. That's why it's safe to telnet to the main IP address and you know that you're on the active Pix, but by console you need to do a show fail to make sure the device you're on is primary active or secondary active before you make changes. Regards, Gaz Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=51520t=51491 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX Failover [7:51491]
Whenever you type a command on the active unit it's being replicated to the standby unit. So yes, it will automatically update standby unit but it's not written to memory unless you write to memory on the active first. Steven A. Ridder wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Speaking of stateful PIX's, if I make a change on 1 PIX, and it has failover on, will it automatically make a change on the other PIX? Gaz wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... In article , [EMAIL PROTECTED] says... Hi, In a Stataful configuration, and two PIX are interconnected via a dedicated Failover Fastethernet, in case of the Active unit's Internal interface fails, is there any method to shift traffic to the Standby unit's Internal interface to maintain connectivity, thanks. Leo Best Regards. Not sure what you mean there. That's what failover does unless I'm misunderstanding your question. You configure the main IP address for the interface and you configure a failover address. If the Pix's decide that the active one has a problem (power,interface down etc) the secondary pix takes over the main IP address. If the primary is still contactable it will have the failover IP address on its inside interface. That's why it's safe to telnet to the main IP address and you know that you're on the active Pix, but by console you need to do a show fail to make sure the device you're on is primary active or secondary active before you make changes. Regards, Gaz Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=51521t=51491 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX Failover [7:51491]
yes, it will sync automatically, or you can force it with write standby HTH, ms --- Steven A. Ridder wrote: Speaking of stateful PIX's, if I make a change on 1 PIX, and it has failover on, will it automatically make a change on the other PIX? Gaz wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... In article , [EMAIL PROTECTED] says... Hi, In a Stataful configuration, and two PIX are interconnected via a dedicated Failover Fastethernet, in case of the Active unit's Internal interface fails, is there any method to shift traffic to the Standby unit's Internal interface to maintain connectivity, thanks. Leo Best Regards. Not sure what you mean there. That's what failover does unless I'm misunderstanding your question. You configure the main IP address for the interface and you configure a failover address. If the Pix's decide that the active one has a problem (power,interface down etc) the secondary pix takes over the main IP address. If the primary is still contactable it will have the failover IP address on its inside interface. That's why it's safe to telnet to the main IP address and you know that you're on the active Pix, but by console you need to do a show fail to make sure the device you're on is primary active or secondary active before you make changes. Regards, Gaz [EMAIL PROTECTED] __ Do You Yahoo!? HotJobs - Search Thousands of New Jobs http://www.hotjobs.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=51524t=51491 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX Failover [7:51491]
Hi, In a Stataful configuration, and two PIX are interconnected via a dedicated Failover Fastethernet, in case of the Active unit's Internal interface fails, is there any method to shift traffic to the Standby unit's Internal interface to maintain connectivity, thanks. Leo Best Regards. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=51491t=51491 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX Failover [7:51491]
In a stateful config, this is done by the standby PIX. It sends hello packets and runs the interface tests to the active pix and when it doesn't recieves any response it takes the role of the active pix. TCP and UDP connections will be maintained but not the IPSec and ICMP. - Original Message - From: Leo Song To: Sent: Thursday, August 15, 2002 9:21 PM Subject: PIX Failover [7:51491] Hi, In a Stataful configuration, and two PIX are interconnected via a dedicated Failover Fastethernet, in case of the Active unit's Internal interface fails, is there any method to shift traffic to the Standby unit's Internal interface to maintain connectivity, thanks. Leo Best Regards. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=51493t=51491 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Router 3DES VPN to Pix Failover [7:46813]
Are you doing LAN based failover or using the proprietary heartbeat cable? There are many undocumented bugs with 6.2 code when using LAN based failover. If noone else on the forum can recommend a configuration change, I would go back to 6.1(3). Drew -Original Message- From: Gaz [mailto:[EMAIL PROTECTED]] Sent: Monday, June 17, 2002 12:00 PM To: [EMAIL PROTECTED] Subject: Router 3DES VPN to Pix Failover [7:46813] Hi all, Anybody got any experience using 3DES to Pix Failover. I have a 2621 with 3DES using VPN to Pix 515 Failover bundle. All works fine after initial boot. Fails over to secondary Pix when I kill the Primary. If I try to fail back to Primary, it does not come back up. Does not seem to pick up the SA. Clear SA on the router brings it back up. Knocked the liftime down to 60 seconds in the ISAKMP policy, but seems to have no effect. Failover is working fine, it's just the VPN that doesn't come back up. Pix is 6.2, router is 12.1(5)T12. Any similar experiences? More details to follow if there are any bites :-) Gaz Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=46893t=46813 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Router 3DES VPN to Pix Failover [7:46813]
In case anybody is interested: Managed to find the answer eventually. Stateful failover is not supported for VPN (from TAC), so the SA's must be cleared every time a change of active Pix occurs. Had the right idea with th lifetime of the CA's but applying it incorrectly. Have managed to get the devices to do this automatically by using isakmp keepalive 120 (crypto isakmp keepalive 120 for routers). This means there is some extra overheads as the SA's are cleared every 2 minutes, but at least the VPN re-establishes itself. Gaz Gaz wrote in message news:[EMAIL PROTECTED]... Hi all, Anybody got any experience using 3DES to Pix Failover. I have a 2621 with 3DES using VPN to Pix 515 Failover bundle. All works fine after initial boot. Fails over to secondary Pix when I kill the Primary. If I try to fail back to Primary, it does not come back up. Does not seem to pick up the SA. Clear SA on the router brings it back up. Knocked the liftime down to 60 seconds in the ISAKMP policy, but seems to have no effect. Failover is working fine, it's just the VPN that doesn't come back up. Pix is 6.2, router is 12.1(5)T12. Any similar experiences? More details to follow if there are any bites :-) Gaz Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=46900t=46813 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Cisco PIX Failover Bundle [7:45603]
Hello all, Was wondering what is the main difference between the PIX Failover Bundle and say Unrestricted Bundle? Is it just the software? is the hardware similar? Can we upgrade ? If so how? Please enlighten me. Thanks. roe. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45603t=45603 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Is Pix failover can be Load balancer ? [7:26673]
Jenny you are right. Pix does the state information transmission but does not do load balancing. As someone else said above, get Stonebeat if you want a firewall that can do it all. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26950t=26673 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Is Pix failover can be Load balancer ? [7:26673]
Hi Pals I wish to know wheather 2 cisco pix firewalls can be configured for redundancy as well as Load balancing. In general failover means in case of active PIX fails the stand by one will come into line. But my customer wants FWLB (Fire wall load balancing). If any one has idea on this please help me. Thanks and regards Siva Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26673t=26673 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Is Pix failover can be Load balancer ? [7:26673]
Yes, certain models have a serial fail over link. (515?), look at cisco web page for more details. If you buy another NIC, you can even have stateful failover. (retains all tcp connection information to the other firewall). Although, I wonder if you really need it since I did get it working without the extra NIC at one point. Hmmm marketting ploy? Maybe. As for load balancing, not sure if it can do that. At 03:39 AM 11/19/01 -0500, Sivarajan Thiruvadi wrote: Hi Pals I wish to know wheather 2 cisco pix firewalls can be configured for redundancy as well as Load balancing. In general failover means in case of active PIX fails the stand by one will come into line. But my customer wants FWLB (Fire wall load balancing). If any one has idea on this please help me. Thanks and regards Siva -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26677t=26673 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Is Pix failover can be Load balancer ? [7:26673]
AFAIK PIX Failover only provides redundancy, no traffic load balance. If you need Firewall load-balance, go to the Nokia IP series firewall, or Checkpoint+Stonebeat combo (www.stonebeat.com) HTH I wish to know wheather 2 cisco pix firewalls can be configured for redundancy as well as Load balancing. In general failover means in case of active PIX fails the stand by one will come into line. But my customer wants FWLB (Fire wall load balancing). If any one has idea on this please help me. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26681t=26673 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Is Pix failover can be Load balancer ? [7:26673]
Or you could stick a CSS or two infront of the pixes. Regards, Dave -Original Message- From: Engelhard M. Labiro [mailto:[EMAIL PROTECTED]] Sent: Monday, November 19, 2001 8:47 AM To: [EMAIL PROTECTED] Subject: Re: Is Pix failover can be Load balancer ? [7:26673] AFAIK PIX Failover only provides redundancy, no traffic load balance. If you need Firewall load-balance, go to the Nokia IP series firewall, or Checkpoint+Stonebeat combo (www.stonebeat.com) HTH I wish to know wheather 2 cisco pix firewalls can be configured for redundancy as well as Load balancing. In general failover means in case of active PIX fails the stand by one will come into line. But my customer wants FWLB (Fire wall load balancing). If any one has idea on this please help me. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26686t=26673 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Is Pix failover can be Load balancer ? [7:26673]
Check out Alteon load balancer, they have a white paper how to do firewall load balancing. And they are very complicated expensive. And why not just buy a high end model with gigabit throughput then no need for load balancing? Sivarajan Thiruvadi wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi Pals I wish to know wheather 2 cisco pix firewalls can be configured for redundancy as well as Load balancing. In general failover means in case of active PIX fails the stand by one will come into line. But my customer wants FWLB (Fire wall load balancing). If any one has idea on this please help me. Thanks and regards Siva Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26687t=26673 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Is Pix failover can be Load balancer ? [7:26673]
Can't load balance, one pix is active, the other standby. Dave Sivarajan Thiruvadi wrote: Hi Pals I wish to know wheather 2 cisco pix firewalls can be configured for redundancy as well as Load balancing. In general failover means in case of active PIX fails the stand by one will come into line. But my customer wants FWLB (Fire wall load balancing). If any one has idea on this please help me. Thanks and regards Siva -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 Emotion should reflect reason not guide it Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26702t=26673 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Is Pix failover can be Load balancer ? [7:26673]
You need to get yourself some real load-balancers (i.e. CSS, F5 BigIP, Foundry ServerIron, Alteon Acedirector, etc.) and make yourself a firewall sandwich. Mmmm, tasty. Sivarajan Thiruvadi wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi Pals I wish to know wheather 2 cisco pix firewalls can be configured for redundancy as well as Load balancing. In general failover means in case of active PIX fails the stand by one will come into line. But my customer wants FWLB (Fire wall load balancing). If any one has idea on this please help me. Thanks and regards Siva Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26790t=26673 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Is Pix failover can be Load balancer ? [7:26673]
Be careful how you load balance. Unlike the Check Point's stateful setup, Pix does not maintain state on both boxes, when running as parallel devices. Also- the purchase agreement and software are for primary and failover units. There is a sizable discount applied to the failover Pix. The state issue means some sort of hash must be passed between the load balancers sandwiching the Pix's. This hash ensures sourced traffic returns to the same firewall that the session created state in. Make sense ??? Phil - Original Message - From: nrf To: Sent: Monday, November 19, 2001 9:45 PM Subject: Re: Is Pix failover can be Load balancer ? [7:26673] You need to get yourself some real load-balancers (i.e. CSS, F5 BigIP, Foundry ServerIron, Alteon Acedirector, etc.) and make yourself a firewall sandwich. Mmmm, tasty. Sivarajan Thiruvadi wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi Pals I wish to know wheather 2 cisco pix firewalls can be configured for redundancy as well as Load balancing. In general failover means in case of active PIX fails the stand by one will come into line. But my customer wants FWLB (Fire wall load balancing). If any one has idea on this please help me. Thanks and regards Siva Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26792t=26673 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Is Pix failover can be Load balancer ? [7:26673]
actually. no?? When I was doing a spec for failover on PIX I'm practically sure that state was passed between the boxes. The serial cable and network cable connecting them is used for this. from the link: http://www.cisco.com/warp/customer/110/failover.html#state Stateful Failover Without retaining PIX stateful information, after a switchover all existing connections are dropped and the application is required to reinitiate. In the PIX Software 5.0 release, PIX provides stateful failover so that existing connection can stay up after a switchover. To support the stateful failover, a dedicated LAN interface between the two PIX devices is required. The Logical Update (LU) is the software module that provides transport to PIX applications supporting stateful failover. The state update occurs from the active to standby through the LAN interface. The state update sent to the standby PIX is triggered by the application. The LU transport is UDP-like, with no retransmission and no blocking applications to delay normal packet processing. The state update packets are transmitted asynchronously in the background. Nevertheless, the LU protocol is real-time, and it provides error notification and reports missing state updates for monitoring purposes. Initial state synchronization is performed after configuration replication. This is done by walking through the translation and connection table records. After that, a state update may be triggered. PIX address translation (xlate, static and dynamic) and connection (conn) records are essential state data, and are passed to the standby unit from the active unit along with other state information. Since failover can not be prescheduled, the state update for the connection is packet-based. This means every packet passes through the PIX and changes the state of a connection, which may trigger a state update. TCP state tables, with the exception of port 80 (HTTP), are transferred. Most UDP state tables are not transferred, with the exception of dynamically opened ports corresponding to multi-channel protocols such as H.323. So, DNS resolves are not transferred as it is a single channel port. There are applications that are latency sensitive, and in some cases the application times out before the failover sequence is completed. In these cases, the application must reestablish the session. Stateful failover does not yet support Long Distance State Sharing (LDSS). So PIX can be stateful when properly configured - or did I miss something in the thread?? Kevin Wigle - Original Message - From: Circusnuts To: Sent: Monday, 19 November, 2001 22:11 Subject: Re: Is Pix failover can be Load balancer ? [7:26673] Be careful how you load balance. Unlike the Check Point's stateful setup, Pix does not maintain state on both boxes, when running as parallel devices. Also- the purchase agreement and software are for primary and failover units. There is a sizable discount applied to the failover Pix. The state issue means some sort of hash must be passed between the load balancers sandwiching the Pix's. This hash ensures sourced traffic returns to the same firewall that the session created state in. Make sense ??? Phil - Original Message - From: nrf To: Sent: Monday, November 19, 2001 9:45 PM Subject: Re: Is Pix failover can be Load balancer ? [7:26673] You need to get yourself some real load-balancers (i.e. CSS, F5 BigIP, Foundry ServerIron, Alteon Acedirector, etc.) and make yourself a firewall sandwich. Mmmm, tasty. Sivarajan Thiruvadi wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi Pals I wish to know wheather 2 cisco pix firewalls can be configured for redundancy as well as Load balancing. In general failover means in case of active PIX fails the stand by one will come into line. But my customer wants FWLB (Fire wall load balancing). If any one has idea on this please help me. Thanks and regards Siva Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26793t=26673 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Is Pix failover can be Load balancer ? [7:26673]
Sorry Kevin- what I meant to speak to was clustering and not failover. Yes- Pix's are designed to failover and the standby device is a replicated backup, running in parallel by a very expensive cable (something like $250 for that cable). If I'm not mistaken, the Pix fail time is 15 seconds. The Firewall 1 Nokia IP530's we tested had the ability to load share across the cluster and maintain state between all firewalls . Asymmetrical routing is supported and no one device offers a single point of failure. Cisco uses the primary and backup (or hot standby), but makes up for the cluster by producing boxes so wicked fast that you only need one running @ a time. The original post was about balancing two Pix's and the Pix to date needs something like the Cisco/ ArrowPoint CSS, Radware Fireproof, BigIP, Rainfinity, or StoneSoft to control which firewall each user sessions will traverse. All the best !!! Phil - Original Message - From: Kevin Wigle To: Circusnuts ; Sent: Monday, November 19, 2001 10:54 PM Subject: Re: Is Pix failover can be Load balancer ? [7:26673] actually. no?? When I was doing a spec for failover on PIX I'm practically sure that state was passed between the boxes. The serial cable and network cable connecting them is used for this. from the link: http://www.cisco.com/warp/customer/110/failover.html#state Stateful Failover Without retaining PIX stateful information, after a switchover all existing connections are dropped and the application is required to reinitiate. In the PIX Software 5.0 release, PIX provides stateful failover so that existing connection can stay up after a switchover. To support the stateful failover, a dedicated LAN interface between the two PIX devices is required. The Logical Update (LU) is the software module that provides transport to PIX applications supporting stateful failover. The state update occurs from the active to standby through the LAN interface. The state update sent to the standby PIX is triggered by the application. The LU transport is UDP-like, with no retransmission and no blocking applications to delay normal packet processing. The state update packets are transmitted asynchronously in the background. Nevertheless, the LU protocol is real-time, and it provides error notification and reports missing state updates for monitoring purposes. Initial state synchronization is performed after configuration replication. This is done by walking through the translation and connection table records. After that, a state update may be triggered. PIX address translation (xlate, static and dynamic) and connection (conn) records are essential state data, and are passed to the standby unit from the active unit along with other state information. Since failover can not be prescheduled, the state update for the connection is packet-based. This means every packet passes through the PIX and changes the state of a connection, which may trigger a state update. TCP state tables, with the exception of port 80 (HTTP), are transferred. Most UDP state tables are not transferred, with the exception of dynamically opened ports corresponding to multi-channel protocols such as H.323. So, DNS resolves are not transferred as it is a single channel port. There are applications that are latency sensitive, and in some cases the application times out before the failover sequence is completed. In these cases, the application must reestablish the session. Stateful failover does not yet support Long Distance State Sharing (LDSS). So PIX can be stateful when properly configured - or did I miss something in the thread?? Kevin Wigle - Original Message - From: Circusnuts To: Sent: Monday, 19 November, 2001 22:11 Subject: Re: Is Pix failover can be Load balancer ? [7:26673] Be careful how you load balance. Unlike the Check Point's stateful setup, Pix does not maintain state on both boxes, when running as parallel devices. Also- the purchase agreement and software are for primary and failover units. There is a sizable discount applied to the failover Pix. The state issue means some sort of hash must be passed between the load balancers sandwiching the Pix's. This hash ensures sourced traffic returns to the same firewall that the session created state in. Make sense ??? Phil - Original Message - From: nrf To: Sent: Monday, November 19, 2001 9:45 PM Subject: Re: Is Pix failover can be Load balancer ? [7:26673] You need to get yourself some real load-balancers (i.e. CSS, F5 BigIP, Foundry ServerIron, Alteon Acedirector, etc.) and make yourself a firewall sandwich. Mmmm, tasty. Sivarajan Thiruvadi wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi Pals I wish to know wheather 2 cisco pix firewalls can be configured for redundancy as well as Load balancing. In general
Re: Is Pix failover can be Load balancer ? [7:26673]
By my reading of that, state information is transferred from the active to the standby - not vice versa. So although state info is passed for failover purposes, I don't think that this would be adequate for load balancing. For failover, the boxes aren't running in parallel in the same way that they are for load balancing. But hey, I know nothing about PIXs, so anyone feel free to tell me I'm spouting rubbish. JMcL - Forwarded by Jenny Mcleod/NSO/CSDA on 20/11/2001 03:51 pm - Kevin Wigle cc: Sent by:Subject: Re: Is Pix failover can be Load nobody@groupstudbalancer ? [7:26673] y.com 20/11/2001 02:53 pm Please respond to Kevin Wigle actually. no?? When I was doing a spec for failover on PIX I'm practically sure that state was passed between the boxes. The serial cable and network cable connecting them is used for this. from the link: http://www.cisco.com/warp/customer/110/failover.html#state Stateful Failover Without retaining PIX stateful information, after a switchover all existing connections are dropped and the application is required to reinitiate. In the PIX Software 5.0 release, PIX provides stateful failover so that existing connection can stay up after a switchover. To support the stateful failover, a dedicated LAN interface between the two PIX devices is required. The Logical Update (LU) is the software module that provides transport to PIX applications supporting stateful failover. The state update occurs from the active to standby through the LAN interface. The state update sent to the standby PIX is triggered by the application. The LU transport is UDP-like, with no retransmission and no blocking applications to delay normal packet processing. The state update packets are transmitted asynchronously in the background. Nevertheless, the LU protocol is real-time, and it provides error notification and reports missing state updates for monitoring purposes. Initial state synchronization is performed after configuration replication. This is done by walking through the translation and connection table records. After that, a state update may be triggered. PIX address translation (xlate, static and dynamic) and connection (conn) records are essential state data, and are passed to the standby unit from the active unit along with other state information. Since failover can not be prescheduled, the state update for the connection is packet-based. This means every packet passes through the PIX and changes the state of a connection, which may trigger a state update. TCP state tables, with the exception of port 80 (HTTP), are transferred. Most UDP state tables are not transferred, with the exception of dynamically opened ports corresponding to multi-channel protocols such as H.323. So, DNS resolves are not transferred as it is a single channel port. There are applications that are latency sensitive, and in some cases the application times out before the failover sequence is completed. In these cases, the application must reestablish the session. Stateful failover does not yet support Long Distance State Sharing (LDSS). So PIX can be stateful when properly configured - or did I miss something in the thread?? Kevin Wigle - Original Message - From: Circusnuts To: Sent: Monday, 19 November, 2001 22:11 Subject: Re: Is Pix failover can be Load balancer ? [7:26673] Be careful how you load balance. Unlike the Check Point's stateful setup, Pix does not maintain state on both boxes, when running as parallel devices. Also- the purchase agreement and software are for primary and failover units. There is a sizable discount applied to the failover Pix. The state issue means some sort of hash must be passed between the load balancers sandwiching the Pix's. This hash ensures sourced traffic returns to the same firewall that the session created state in. Make sense ??? Phil - Original Message - From: nrf To: Sent: Monday, November 19, 2001 9:45 PM Subject: Re: Is Pix failover can be Load balancer ? [7:26673] You need to get yourself some real load-balancers (i.e. CSS, F5 BigIP, Foundry ServerIron, Alteon Acedirector, etc.) and make yourself a firewall sandwich. Mmmm, tasty. Sivarajan Thiruvadi wrote in message [EMAIL PROTECTED]"
Re: PIX failover!! [7:15848]
And keep in mind this Primary/Secondary business is completely separate from which firewall is Active and which is Standby. The Active/Standby question is the more important one. MikeN wrote: I believe that the serial numbers will be registered as to whether it is UR or a failover. Both will work as stand-alone firewalls. Yes, the failover cable will determine which will be primary and which will be secondary. Once they are configured: show failover will show you which PIX is primary and which is secondary. Thanks, MikeN Magdy H. Ibrahim wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Dear All, Sorry for the stupid question but I want to confirm it. I have to configure my PIX 515UR bundle... How can I know the primary unit from the secondary unit?? Is that from the failover cable only OR there is an other thing marked the unit as primary or secondary??? Please advice me soon,,, Regards,,, Magdy Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=18209t=15848 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX Failover cable [7:18001]
Does anyone have the part number for the failover cable for a 515 PIX. Mine went MIA during a company move. I can't find on Cisco's or any vendor's site where I can order just the cable by itself. A part number would be really nice. Next best thing would be the pin out for the cable so I could (maybe) modify a standard cable. Couldn't find that either. Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=18001t=18001 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX Failover cable [7:18001]
I believe it's part number PIX-FO= or you could buy it as LD-FO= since it is the same cable for the LocalDirector. Mark Smith wrote: Does anyone have the part number for the failover cable for a 515 PIX. Mine went MIA during a company move. I can't find on Cisco's or any vendor's site where I can order just the cable by itself. A part number would be really nice. Next best thing would be the pin out for the cable so I could (maybe) modify a standard cable. Couldn't find that either. Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=18021t=18001 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX failover!! [7:15848]
Dear All, Sorry for the stupid question but I want to confirm it. I have to configure my PIX 515UR bundle... How can I know the primary unit from the secondary unit?? Is that from the failover cable only OR there is an other thing marked the unit as primary or secondary??? Please advice me soon,,, Regards,,, Magdy Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=15848t=15848 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX failover!! [7:15848]
Hi, It is the cable only that selects the primary or secondary (it is even written on the cable). You make the configuration on the primary, and this will be sigronized with the secondary. Hope this helps, bye, Magdy H. Ibrahim wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Dear All, Sorry for the stupid question but I want to confirm it. I have to configure my PIX 515UR bundle... How can I know the primary unit from the secondary unit?? Is that from the failover cable only OR there is an other thing marked the unit as primary or secondary??? Please advice me soon,,, Regards,,, Magdy Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=15856t=15848 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX failover redundancy
Statefull failover can be doen if any interface on the PIX goes down. Each interface needs to be able to talk to the other interface on the second pix. So the inside on the primary has to be able to communicate with the inside on the secondary, DMZ to DMZ etc. and for statefull fail there has to be one dedicated ethernet port that simply connects the 2 pix's as well as the blue serial cable that connects the 2 pix's together. With statefull failover either all the interfaces need to be configured for failover or none of them. You cannot selectively put intewrfaces in or out of failover. It's the whole pix or not. You can have up to 6 and maybe even 8 now configured on the pix in a stateful failover with the 5.x code. -Original Message- From: mak [mailto:[EMAIL PROTECTED]] Sent: Monday, January 08, 2001 10:37 PM To: [EMAIL PROTECTED] Subject: PIX failover redundancy Hi all, I configure the two PIX with failover function. Is it once there is a link (in, out or DMZ) connected to PIX is going down, then the failover would be activated? Is it I can only configure one instance for each interface (in, out and DMZ) on one PIX? If so, why PIX 520 has six slots, if there are only three interfaces to be activated? Thanks Regards, mak _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX failover redundancy
Hi all, I configure the two PIX with failover function. Is it once there is a link (in, out or DMZ) connected to PIX is going down, then the failover would be activated? Is it I can only configure one instance for each interface (in, out and DMZ) on one PIX? If so, why PIX 520 has six slots, if there are only three interfaces to be activated? Thanks Regards, mak _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX failover
I have couple of 520 firewalls ordered a while back but I don't know if is a way to check if they are in failover bundle. To be more specific , I have one up and running but I would like to install the failover and I don't which one is ( I have other three ordered for other projects). I think it might be a way of checking on Cisco's website by having the serial number of the main firewall and then I can get the the serial number of the failover. Thanks and Happy New Year ! Florin Mechetiuc [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX failover
If you do sh ver from enable mode you get :- PIX_TH_BB# sh ver PIX Version 4.4(4) Compiled on Thu 06-Jan-00 16:07 by pixbuild PIX BIOS (4.0) #0: Tue May 18 16:29:54 PDT 1999 PIX_TH_BB up 104 days 21 hours Hardware: PIX-515, 64 MB RAM, CPU Pentium 200 MHz Flash strata @ base 0x300 0: ethernet0: address is 0050.54ff.382e, irq 9 1: ethernet1: address is 0050.54ff.382f, irq 7 Licensed Options: Failover: Enabled IPSec: Disabled Ports allowed: 6 Serial Number: 1234567890 -- Two things that say its a UnRestricted pix. 1) 64Meg of Ram - Restricted pix has only 32meg 2) the Failover option is enabled If you have a Restricted and buy the upgrade you get 32meg of ram and a software patch. Hope this helps Andrew -Original Message- From: Florin Mechetiuc [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 02, 2001 3:22 PM To: [EMAIL PROTECTED] Subject: PIX failover I have couple of 520 firewalls ordered a while back but I don't know if is a way to check if they are in failover bundle. To be more specific , I have one up and running but I would like to install the failover and I don't which one is ( I have other three ordered for other projects). I think it might be a way of checking on Cisco's website by having the serial number of the main firewall and then I can get the the serial number of the failover. Thanks and Happy New Year ! Florin Mechetiuc [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX failover
Of course the REAL test is to unplug one of them once you are certain it is configured properly to test the failover and see first hand how it reacts by viewing the routes, protocols and translations to verify that all is working according to plan. Then failover again just to return to the original and prove that it will return after the initial failure has been resolved. Put your results into your operating manual(s) for future reference. -Original Message- From: Andrew Twigger [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 02, 2001 9:55 AM To: 'Florin Mechetiuc'; [EMAIL PROTECTED] Subject: RE: PIX failover If you do sh ver from enable mode you get :- PIX_TH_BB# sh ver PIX Version 4.4(4) Compiled on Thu 06-Jan-00 16:07 by pixbuild PIX BIOS (4.0) #0: Tue May 18 16:29:54 PDT 1999 PIX_TH_BB up 104 days 21 hours Hardware: PIX-515, 64 MB RAM, CPU Pentium 200 MHz Flash strata @ base 0x300 0: ethernet0: address is 0050.54ff.382e, irq 9 1: ethernet1: address is 0050.54ff.382f, irq 7 Licensed Options: Failover: Enabled IPSec: Disabled Ports allowed: 6 Serial Number: 1234567890 -- Two things that say its a UnRestricted pix. 1) 64Meg of Ram - Restricted pix has only 32meg 2) the Failover option is enabled If you have a Restricted and buy the upgrade you get 32meg of ram and a software patch. Hope this helps Andrew -Original Message- From: Florin Mechetiuc [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 02, 2001 3:22 PM To: [EMAIL PROTECTED] Subject: PIX failover I have couple of 520 firewalls ordered a while back but I don't know if is a way to check if they are in failover bundle. To be more specific , I have one up and running but I would like to install the failover and I don't which one is ( I have other three ordered for other projects). I think it might be a way of checking on Cisco's website by having the serial number of the main firewall and then I can get the the serial number of the failover. Thanks and Happy New Year ! Florin Mechetiuc [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX failover
PIX 520's don't have a R or UR version they all support failover. ""Florin Mechetiuc"" [EMAIL PROTECTED] wrote in message 92svsr$482$[EMAIL PROTECTED]">news:92svsr$482$[EMAIL PROTECTED]... I have couple of 520 firewalls ordered a while back but I don't know if is a way to check if they are in failover bundle. To be more specific , I have one up and running but I would like to install the failover and I don't which one is ( I have other three ordered for other projects). I think it might be a way of checking on Cisco's website by having the serial number of the main firewall and then I can get the the serial number of the failover. Thanks and Happy New Year ! Florin Mechetiuc [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Pix Failover Question
A co-worker has seen this and it is a bug. He didn't remember the version number(s) affected. Rodgers Moore ""BE"" [EMAIL PROTECTED] wrote in message 8ptc7v$7a1$[EMAIL PROTECTED]">news:8ptc7v$7a1$[EMAIL PROTECTED]... Rodgers, Hi! Thanks for your response. The answer is YES to all of your questions. The really strange thing is, when I leave the single PIX 510 running for an extended period of time, it works great, no problems. When I add the second PIX, it just seems to grab the DMZ connection (but leaves the other two connections alone). My original guess was that there is some strange bug in 4.4 somewhere that I havent seen. Both boxes have the same config (and are sync'd up). -B ""Rodgers Moore"" [EMAIL PROTECTED] wrote in message 8ptbav$4fn$[EMAIL PROTECTED]">news:8ptbav$4fn$[EMAIL PROTECTED]... It sounds like they're both identical. That's good. Do you have ALL the interfaces in an UP state? and each pair of interfaces are on the same hub? A down interface will be considered a failure Both configs are identical? You power cycled both boxes at the same time? Rodgers Moore ""BE"" [EMAIL PROTECTED] wrote in message 8pt9cl$t1g$[EMAIL PROTECTED]">news:8pt9cl$t1g$[EMAIL PROTECTED]... Hey gang! Any Pix gurus out there? I've been playing with a couple of Pixs (510s) trying to get the failover to work. I thought it would be a piece of cake, but it just isn't showing me any love. Ive got (2) Pix 510s that each have 3 NICs in them (internal, untrusted, DMZ) each running 4.4. Everything seems all fine and dandy until about 10 minutes later when the standby PIX starts stealing the DMZ connections. Any thoughts? -Brad bellis@opts ys.net used cisco hardware: www.opt sys.net cisco hardware newsgroup: news://news.opts ys.net/cisco.hardware **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Pix Failover Question
Brad, If the DMZ interface is not being used at the moment you need to connect any unused interfaces to the same unused interfaces on the standby PIX with a crossover cable. Dave Swink -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of BE Sent: Friday, September 15, 2000 8:44 AM To: [EMAIL PROTECTED] Subject: Pix Failover Question Hey gang! Any Pix gurus out there? I've been playing with a couple of Pixs (510s) trying to get the failover to work. I thought it would be a piece of cake, but it just isn't showing me any love. Ive got (2) Pix 510s that each have 3 NICs in them (internal, untrusted, DMZ) each running 4.4. Everything seems all fine and dandy until about 10 minutes later when the standby PIX starts stealing the DMZ connections. Any thoughts? -Brad bellis@opts ys.net used cisco hardware: www.opt sys.net cisco hardware newsgroup: news://news.opts ys.net/cisco.hardware **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Pix Failover Question
It sounds like they're both identical. That's good. Do you have ALL the interfaces in an UP state? and each pair of interfaces are on the same hub? A down interface will be considered a failure Both configs are identical? You power cycled both boxes at the same time? Rodgers Moore ""BE"" [EMAIL PROTECTED] wrote in message 8pt9cl$t1g$[EMAIL PROTECTED]">news:8pt9cl$t1g$[EMAIL PROTECTED]... Hey gang! Any Pix gurus out there? I've been playing with a couple of Pixs (510s) trying to get the failover to work. I thought it would be a piece of cake, but it just isn't showing me any love. Ive got (2) Pix 510s that each have 3 NICs in them (internal, untrusted, DMZ) each running 4.4. Everything seems all fine and dandy until about 10 minutes later when the standby PIX starts stealing the DMZ connections. Any thoughts? -Brad bellis@opts ys.net used cisco hardware: www.opt sys.net cisco hardware newsgroup: news://news.opts ys.net/cisco.hardware **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Pix Failover Question
Rodgers, Hi! Thanks for your response. The answer is YES to all of your questions. The really strange thing is, when I leave the single PIX 510 running for an extended period of time, it works great, no problems. When I add the second PIX, it just seems to grab the DMZ connection (but leaves the other two connections alone). My original guess was that there is some strange bug in 4.4 somewhere that I havent seen. Both boxes have the same config (and are sync'd up). -B ""Rodgers Moore"" [EMAIL PROTECTED] wrote in message 8ptbav$4fn$[EMAIL PROTECTED]">news:8ptbav$4fn$[EMAIL PROTECTED]... It sounds like they're both identical. That's good. Do you have ALL the interfaces in an UP state? and each pair of interfaces are on the same hub? A down interface will be considered a failure Both configs are identical? You power cycled both boxes at the same time? Rodgers Moore ""BE"" [EMAIL PROTECTED] wrote in message 8pt9cl$t1g$[EMAIL PROTECTED]">news:8pt9cl$t1g$[EMAIL PROTECTED]... Hey gang! Any Pix gurus out there? I've been playing with a couple of Pixs (510s) trying to get the failover to work. I thought it would be a piece of cake, but it just isn't showing me any love. Ive got (2) Pix 510s that each have 3 NICs in them (internal, untrusted, DMZ) each running 4.4. Everything seems all fine and dandy until about 10 minutes later when the standby PIX starts stealing the DMZ connections. Any thoughts? -Brad bellis@opts ys.net used cisco hardware: www.opt sys.net cisco hardware newsgroup: news://news.opts ys.net/cisco.hardware **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
