RE: PIX - Failover mac address

From: Salau, Yemi (yemi.salau@siemens.com)
Date: Mon Mar 31 2008 - 05:25:32 ART

Cheers Oga Saheed.
 
I've got stateful failover setup for exchanging connection states btw
the pair. But this doesn't seem to work for such connections as FTP.
Also, when I try pinging across the firewalls, I get few packet losses.
I would expect my pings to be squickly clean after the failover to the
secondary box.

I think I agree with you that the virtual-mac ain't compulsory, ie.
Everything should work just fine. However, this is not the case.
 
Many Thanks
 
Yemi Salau

________________________________

From: saheed Balogun [mailto:saheedb@gmail.com]
Sent: Saturday, March 29, 2008 8:47 AM
To: Salau, Yemi
Cc: groupstudy
Subject: Re: PIX - Failover mac address

U would need "Stateful failover to retain most connection states" this
excludes 'http' information. This would need 'failover replication http'
to include active http connection.
 
 

 
On 3/28/08, Salau, Yemi <yemi.salau@siemens.com> wrote:

        Cheers Mr. Saheed,
        
        Wouldn't the same network disruption happens when I force the
failover
        to the secondary unit manually using the "failover active"
command? I
        mean, if the secondary obtains the MAC from the primary unit
when the
        primary unit comes up, if I do failover active, then this should
still
        be the case.
        
        Also, if for whatever reason, failover happens, say due to
active unit
        going above the health threshold. Will this "disruption" still
happen?
        The scenerio I have on my hand is that I experience network
connectivity
        and disruption issues like packet loss and stuffs when the
secondary
        unit becomes active...even when the primary unit is standby. You
        wouldn't expect this to change anything at all, but it does.
        
        Many Thanks
        
        Yemi Salau
        
        
        
        ________________________________
        
        From: saheed Balogun [mailto:saheedb@gmail.com]
        Sent: Friday, March 28, 2008 4:53 PM
        To: Salau, Yemi
        Cc: groupstudy
        Subject: Re: PIX - Failover mac address
        
        
        Hi Yemi,
        The command is not neccessary to make your failover work.
        It may be useful "If the secondary unit boots first and becomes
active,
        uses the burned-in MAC address for its interfaces. When the
primary unit
        comes online, the secondary unit obtains the MAC addresses from
the
        primary unit".
        
        The change of mac-address from the secondary to the primary may
disrupt
        network traffic.
        
        
        On 3/28/08, Salau, Yemi <yemi.salau@siemens.com> wrote:
        
               Hello Guys
        
               Apologies as I have searched through the groupstudy
archives and
        could
               only come up with this post:
        
http://www.groupstudy.com/archives/security/200510/msg00000.html
        which
               isn't exactly what I'm looking for, or rather didn't
address the
        issue
               I'm thinking of.
        
               This is relating to the issue highlighted in this Cisco
link:
        
        
http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/f
               ailover.html#wp1073913 for 7.1(2) Security Appliance
version &
        the
               Command Reference Documentation:
        
        
http://www.cisco.com/en/US/docs/security/asa/asa71/command/reference/ef_
               711.html#wp1679904
        
               So, I'm thinking, do we really need this "failover mac
address"
        command
               for failover to work properly. I'm not a security expert,
so I
        will love
               to hear from the PIX & ASA gurus in the house.
        
               But my own take on this is:
               - Primary unit's mac-address is always associated with
the
        active unit
               as stated in the first Cisco Link I highlighted.
               - If Failover occurs for whatsoever reason to the
Secondary
        unit, it
               uses its burnt-in-mac for the LAN interfaces, until it
somehow
        gets the
               primary unit's mac-address information.
               - A part of my brian thinks Secondary unit also send it's
        mac-address
               info to the Primary unit, another part doesn't. (Although
this
        isn't
               highlighted in Cisco Documentation link above. It's just
my best
        guess!
               - A part of my brian thinks even if the Secondary &
Primary
        units
               exchange mac-address information for the LAN connections,
there
               shouldn't be any problem, as this process is completely
        transparent to
               users behind the firewall.
               - I also think now that the "if & when" Secondary and
Primary
        unit
               exchange the mac-address inforamtion, that confuses the
Switches
        behind
               them.
        
               So, I can be wrong as most of my bullet points are only
        hypothesis....my
               best guess. So, the question is, do we really need the
command
        "failover
               mac address" to resolve such scenerio, and if we do, what
are
        the
               implications of not using this command ... bearing in
mind that
        Cisco
               classified this configuration as "Optional" on their
        documentation page.
        
               Many Thanks
        
               Yemi Salau
        
        
        

This archive was generated by hypermail 2.1.4 : Tue Apr 01 2008 - 07:53:54 ART