From: Salau, Yemi (yemi.salau@siemens.com)
Date: Fri Mar 28 2008 - 14:31:13 ART
Cheers Mr. Saheed,
Wouldn't the same network disruption happens when I force the failover
to the secondary unit manually using the "failover active" command? I
mean, if the secondary obtains the MAC from the primary unit when the
primary unit comes up, if I do failover active, then this should still
be the case.
Also, if for whatever reason, failover happens, say due to active unit
going above the health threshold. Will this "disruption" still happen?
The scenerio I have on my hand is that I experience network connectivity
and disruption issues like packet loss and stuffs when the secondary
unit becomes active...even when the primary unit is standby. You
wouldn't expect this to change anything at all, but it does.
Many Thanks
Yemi Salau
________________________________
From: saheed Balogun [mailto:saheedb@gmail.com]
Sent: Friday, March 28, 2008 4:53 PM
To: Salau, Yemi
Cc: groupstudy
Subject: Re: PIX - Failover mac address
Hi Yemi,
The command is not neccessary to make your failover work.
It may be useful "If the secondary unit boots first and becomes active,
uses the burned-in MAC address for its interfaces. When the primary unit
comes online, the secondary unit obtains the MAC addresses from the
primary unit".
The change of mac-address from the secondary to the primary may disrupt
network traffic.
On 3/28/08, Salau, Yemi <yemi.salau@siemens.com> wrote:
Hello Guys
Apologies as I have searched through the groupstudy archives and
could
only come up with this post:
http://www.groupstudy.com/archives/security/200510/msg00000.html
which
isn't exactly what I'm looking for, or rather didn't address the
issue
I'm thinking of.
This is relating to the issue highlighted in this Cisco link:
http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/f
ailover.html#wp1073913 for 7.1(2) Security Appliance version &
the
Command Reference Documentation:
http://www.cisco.com/en/US/docs/security/asa/asa71/command/reference/ef_
711.html#wp1679904
So, I'm thinking, do we really need this "failover mac address"
command
for failover to work properly. I'm not a security expert, so I
will love
to hear from the PIX & ASA gurus in the house.
But my own take on this is:
- Primary unit's mac-address is always associated with the
active unit
as stated in the first Cisco Link I highlighted.
- If Failover occurs for whatsoever reason to the Secondary
unit, it
uses its burnt-in-mac for the LAN interfaces, until it somehow
gets the
primary unit's mac-address information.
- A part of my brian thinks Secondary unit also send it's
mac-address
info to the Primary unit, another part doesn't. (Although this
isn't
highlighted in Cisco Documentation link above. It's just my best
guess!
- A part of my brian thinks even if the Secondary & Primary
units
exchange mac-address information for the LAN connections, there
shouldn't be any problem, as this process is completely
transparent to
users behind the firewall.
- I also think now that the "if & when" Secondary and Primary
unit
exchange the mac-address inforamtion, that confuses the Switches
behind
them.
So, I can be wrong as most of my bullet points are only
hypothesis....my
best guess. So, the question is, do we really need the command
"failover
mac address" to resolve such scenerio, and if we do, what are
the
implications of not using this command ... bearing in mind that
Cisco
classified this configuration as "Optional" on their
documentation page.
Many Thanks
Yemi Salau
This archive was generated by hypermail 2.1.4 : Tue Apr 01 2008 - 07:53:54 ART