« Return to Thread: PIX failover disable help

Re: PIX failover disable help

by Chris Myers-3 :: Rate this Message:

DO NOT shutdown the active boxes interface. It will not propogate the configuration in time. The active will failover to the standby. Log into the secondary shutdown the interface, since the standby is inactive the primary will stay active because the hello packets will not be received from the standby's interface, hence no failover attempt. Once you have done that then log into the primary (i.e. active box) and shutdown its interface. At this point the PIX no longer uses the "administratively shutdown interfaces for the state of the failover".

http://www.cisco.com/warp/public/110/failover.html#failovermonitoring

There is a failover poll interval of 15 seconds (after version 5.0 it is configurable) to monitor network activity, failover communications, and the power status. A failure of any of these parameters on the active unit causes the standby unit to take active control. Whenever a unit is determined to have failed, it shuts down its network interfaces.

The two units send special failover "hello" packets to each other over the failover cable and all interfaces every 15 seconds (excludes those that are administratively shutdown). If either unit does not hear the "hello" on an interface for two consecutive poll checks, the PIX puts that LAN interface into testing mode in order to determine where the fault lies. If a standby PIX does not receive a "hello" from the failover cable for two consecutive poll checks, the standby PIX initiates a switchover and declares the other PIX failed. If the active PIX does not hear the "hello" messages, it stays active and sets the other PIX as failed.

Thank You,

Chris Myers

clmmacunix@...

John 1:17

For the Law was given through Moses; grace and truth were realized through Jesus Christ.

Go Vols!!!!

On Apr 10, 2008, at 9:47 PM, Nico wrote:

sivakumar escribió:
I have a pix stateful failover(6.3) set up in active/standby mode. Now i
just want to shut down an interface on the failover and bring back it to
unused state. Now i'm worried if by giving a shut on the interface on the
active pix would affect the standby and would drive them to panic.

As per the document i'm thinking of to disable the failover first and shut
the interface on pri and then sec and after that would enable back the
failover again. Would that be fine or it would still affect and make a
switch over.

My concern is if we disable the failover the 2 pixes would poll using the
other ethernet interfaces to check they are up. And if i shut down an int,
would that make the pix to failover and standby to active?
[B]
Could you please tell me a safe way so that i could rid of it without
affecting any live traffic?[/B]

-----
Regards,
Siva

Just shut down the interface in the active unit, that won't trigger the
failover algorithm, and the configuration will be propagated to the
secondary/standby unit. As there's no live traffic going on by that
interface no live traffic should be affected.

Greetings,
Nico
_______________________________________________
firewall-wizards mailing list
firewall-wizards@...
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@...
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

« Return to Thread: PIX failover disable help