From: saheed Balogun (saheedb@gmail.com)
Date: Sat Mar 29 2008 - 05:46:44 ART
U would need "Stateful failover to retain most connection states" this
excludes 'http' information. This would need 'failover replication http' to
include active http connection.
On 3/28/08, Salau, Yemi <yemi.salau@siemens.com> wrote:
>
> Cheers Mr. Saheed,
>
> Wouldn't the same network disruption happens when I force the failover
> to the secondary unit manually using the "failover active" command? I
> mean, if the secondary obtains the MAC from the primary unit when the
> primary unit comes up, if I do failover active, then this should still
> be the case.
>
> Also, if for whatever reason, failover happens, say due to active unit
> going above the health threshold. Will this "disruption" still happen?
> The scenerio I have on my hand is that I experience network connectivity
> and disruption issues like packet loss and stuffs when the secondary
> unit becomes active...even when the primary unit is standby. You
> wouldn't expect this to change anything at all, but it does.
>
> Many Thanks
>
> Yemi Salau
>
>
>
> ________________________________
>
> From: saheed Balogun [mailto:saheedb@gmail.com]
> Sent: Friday, March 28, 2008 4:53 PM
> To: Salau, Yemi
> Cc: groupstudy
> Subject: Re: PIX - Failover mac address
>
>
> Hi Yemi,
> The command is not neccessary to make your failover work.
> It may be useful "If the secondary unit boots first and becomes active,
> uses the burned-in MAC address for its interfaces. When the primary unit
> comes online, the secondary unit obtains the MAC addresses from the
> primary unit".
>
> The change of mac-address from the secondary to the primary may disrupt
> network traffic.
>
>
> On 3/28/08, Salau, Yemi <yemi.salau@siemens.com> wrote:
>
> Hello Guys
>
> Apologies as I have searched through the groupstudy archives and
> could
> only come up with this post:
> http://www.groupstudy.com/archives/security/200510/msg00000.html
> which
> isn't exactly what I'm looking for, or rather didn't address the
> issue
> I'm thinking of.
>
> This is relating to the issue highlighted in this Cisco link:
>
> http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/f
> ailover.html#wp1073913 for 7.1(2) Security Appliance version &
> the
> Command Reference Documentation:
>
> http://www.cisco.com/en/US/docs/security/asa/asa71/command/reference/ef_
> 711.html#wp1679904
>
> So, I'm thinking, do we really need this "failover mac address"
> command
> for failover to work properly. I'm not a security expert, so I
> will love
> to hear from the PIX & ASA gurus in the house.
>
> But my own take on this is:
> - Primary unit's mac-address is always associated with the
> active unit
> as stated in the first Cisco Link I highlighted.
> - If Failover occurs for whatsoever reason to the Secondary
> unit, it
> uses its burnt-in-mac for the LAN interfaces, until it somehow
> gets the
> primary unit's mac-address information.
> - A part of my brian thinks Secondary unit also send it's
> mac-address
> info to the Primary unit, another part doesn't. (Although this
> isn't
> highlighted in Cisco Documentation link above. It's just my best
> guess!
> - A part of my brian thinks even if the Secondary & Primary
> units
> exchange mac-address information for the LAN connections, there
> shouldn't be any problem, as this process is completely
> transparent to
> users behind the firewall.
> - I also think now that the "if & when" Secondary and Primary
> unit
> exchange the mac-address inforamtion, that confuses the Switches
> behind
> them.
>
> So, I can be wrong as most of my bullet points are only
> hypothesis....my
> best guess. So, the question is, do we really need the command
> "failover
> mac address" to resolve such scenerio, and if we do, what are
> the
> implications of not using this command ... bearing in mind that
> Cisco
> classified this configuration as "Optional" on their
> documentation page.
>
> Many Thanks
>
> Yemi Salau
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Tue Apr 01 2008 - 07:53:54 ART