|

Computer Security

»

»

Firewall Discussions

»

Firewall Wizards

PIX failover disable help

View: New views

5 Messages — Rating Filter: Alert me

	PIX failover disable help by sivakumar :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message I have a pix stateful failover(6.3) set up in active/standby mode. Now i just want to shut down an interface on the failover and bring back it to unused state. Now i'm worried if by giving a shut on the interface on the active pix would affect the standby and would drive them to panic. As per the document i'm thinking of to disable the failover first and shut the interface on pri and then sec and after that would enable back the failover again. Would that be fine or it would still affect and make a switch over. My concern is if we disable the failover the 2 pixes would poll using the other ethernet interfaces to check they are up. And if i shut down an int, would that make the pix to failover and standby to active? [B] Could you please tell me a safe way so that i could rid of it without affecting any live traffic?[/B] Regards, Siva
	Re: PIX failover disable help by nico-49 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message sivakumar escribió: > I have a pix stateful failover(6.3) set up in active/standby mode. Now i > just want to shut down an interface on the failover and bring back it to > unused state. Now i'm worried if by giving a shut on the interface on the > active pix would affect the standby and would drive them to panic. > > As per the document i'm thinking of to disable the failover first and shut > the interface on pri and then sec and after that would enable back the > failover again. Would that be fine or it would still affect and make a > switch over. > > My concern is if we disable the failover the 2 pixes would poll using the > other ethernet interfaces to check they are up. And if i shut down an int, > would that make the pix to failover and standby to active? > [B] > Could you please tell me a safe way so that i could rid of it without > affecting any live traffic?[/B] > > ----- > Regards, > Siva > Just shut down the interface in the active unit, that won't trigger the failover algorithm, and the configuration will be propagated to the secondary/standby unit. As there's no live traffic going on by that interface no live traffic should be affected. Greetings, Nico _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
	Re: PIX failover disable help by Christopher J. Wargaski :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Siva-- Yes, you should disable failover first. no failover no failover ip address inside 10.1.1.11 no failover ip address DMZvlan1 10.0.0.2 no failover ip address DMZvlan2 10.0.2.2 no failover ip address outside 68.254.130.243 no failover ip address fover PIX2-fover no failover link fover show failover Once failover is disabled, the polling stops. Now you can shut down interfaces, or disconnect them. On Thu, Apr 10, 2008 at 9:21 AM, sivakumar <siva_itech@...> wrote: > > > I have a pix stateful failover(6.3) set up in active/standby mode. Now i > just want to shut down an interface on the failover and bring back it to > unused state. Now i'm worried if by giving a shut on the interface on the > active pix would affect the standby and would drive them to panic. > > As per the document i'm thinking of to disable the failover first and shut > the interface on pri and then sec and after that would enable back the > failover again. Would that be fine or it would still affect and make a > switch over. > > My concern is if we disable the failover the 2 pixes would poll using the > other ethernet interfaces to check they are up. And if i shut down an int, > would that make the pix to failover and standby to active? > [B] > Could you please tell me a safe way so that i could rid of it without > affecting any live traffic?[/B] > > ----- > Regards, > Siva > -- > View this message in context: http://www.nabble.com/PIX-failover-disable-help-tp16608826p16608826.html > Sent from the Firewall Wizards mailing list archive at Nabble.com. > > _______________________________________________ > firewall-wizards mailing list > firewall-wizards@... > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards > _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
	Re: PIX failover disable help by Chris Myers-3 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message DO NOT shutdown the active boxes interface. It will not propogate the configuration in time. The active will failover to the standby. Log into the secondary shutdown the interface, since the standby is inactive the primary will stay active because the hello packets will not be received from the standby's interface, hence no failover attempt. Once you have done that then log into the primary (i.e. active box) and shutdown its interface. At this point the PIX no longer uses the "administratively shutdown interfaces for the state of the failover". http://www.cisco.com/warp/public/110/failover.html#failovermonitoring There is a failover poll interval of 15 seconds (after version 5.0 it is configurable) to monitor network activity, failover communications, and the power status. A failure of any of these parameters on the active unit causes the standby unit to take active control. Whenever a unit is determined to have failed, it shuts down its network interfaces. The two units send special failover "hello" packets to each other over the failover cable and all interfaces every 15 seconds (excludes those that are administratively shutdown). If either unit does not hear the "hello" on an interface for two consecutive poll checks, the PIX puts that LAN interface into testing mode in order to determine where the fault lies. If a standby PIX does not receive a "hello" from the failover cable for two consecutive poll checks, the standby PIX initiates a switchover and declares the other PIX failed. If the active PIX does not hear the "hello" messages, it stays active and sets the other PIX as failed. Thank You, Chris Myers clmmacunix@... John 1:17 For the Law was given through Moses; grace and truth were realized through Jesus Christ. Go Vols!!!! On Apr 10, 2008, at 9:47 PM, Nico wrote: sivakumar escribió: I have a pix stateful failover(6.3) set up in active/standby mode. Now i just want to shut down an interface on the failover and bring back it to unused state. Now i'm worried if by giving a shut on the interface on the active pix would affect the standby and would drive them to panic. As per the document i'm thinking of to disable the failover first and shut the interface on pri and then sec and after that would enable back the failover again. Would that be fine or it would still affect and make a switch over. My concern is if we disable the failover the 2 pixes would poll using the other ethernet interfaces to check they are up. And if i shut down an int, would that make the pix to failover and standby to active? [B] Could you please tell me a safe way so that i could rid of it without affecting any live traffic?[/B] ----- Regards, Siva Just shut down the interface in the active unit, that won't trigger the failover algorithm, and the configuration will be propagated to the secondary/standby unit. As there's no live traffic going on by that interface no live traffic should be affected. Greetings, Nico _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
	Re: PIX failover disable help by sivakumar :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Thanks all for your reply.. Hope the info would help me to go ahead.. Regards, Siva