Re: [fw-wiz] PIX Failover Questions

From: Dave Rinker (firewall_at_dsrtech.com)
Date: 06/24/03

Next message: Shimon Silberschlag: "Re: [fw-wiz] Application Intelligent vs ALG"

Previous message: Tony Miedaner: "Re: [fw-wiz] Application Intelligent vs ALG"
In reply to: Kevin Miller: "[fw-wiz] PIX Failover Questions"
Next in thread: Bruce Smith: "Re: [fw-wiz] PIX Failover Questions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: firewall-wizards@honor.icsalabs.com
Date: 23 Jun 2003 19:41:02 -0400

Your findings are correct. We recently went through the same question
and answer and Cisco recommends just as stated below. Supposedly The
stateful failover must maintain every connection with the exception of
HTTP traffic which makes the requirement equal to the fastest link.

I must say we've test failed our dual 525(s) and it works wonderfully.

On Mon, 2003-06-23 at 16:09, Kevin Miller wrote:
> I currently have an HA pair of PIX 535s. Each 535 has 3 66mhz Gigabit
> Ethernet ports and 1 quad fastethernet card.
>
> I am wondering what is the difference between the stateful serial cable and
> using an Ethernet cable for failover? From what I understand, the serial
> failover cable is used to sync the config between the pixes and the Ethernet
> is used to sync the state tables. Is that correct?
>
> I was recently looking at a document located here
> http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63rnot
> es/pixrn63.htm
>
> Which states
> "Caution If Stateful Failover is enabled, the interface card and bus used
> for the Stateful Failover LAN port must be equal to or faster than the
> fastest card used for the network interface ports. For example, if your
> inside and outside interfaces are PIX-1GE-66 cards installed in bus 0, then
> your Stateful Failover interface must be a PIX-1GE-66 card installed in bus
> 1. A PIX-1GE or PIX-1FE card cannot be used in this case, nor can a
> PIX-1GE-66 card be installed in bus 2 or share bus 1 with a slower card."
>
>
> Why is a gigabit interface required to sync the state table? How could they
> possibly have that much info to sync? I would just like to use a fast
> ethernet port if possible.
>
> Thanks for any help
> Kevin
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Next message: Shimon Silberschlag: "Re: [fw-wiz] Application Intelligent vs ALG"

Previous message: Tony Miedaner: "Re: [fw-wiz] Application Intelligent vs ALG"
In reply to: Kevin Miller: "[fw-wiz] PIX Failover Questions"
Next in thread: Bruce Smith: "Re: [fw-wiz] PIX Failover Questions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: [fw-wiz] PIX stateful failover and separate external circuits
... the only requirement to do stateful failover on a PIX is to have ... switch from an extra interface on each PIX. ... the PIXes to use that interface as the stateful statistics one. ... The provider claims that in such a configuration, stateful failover will ...
(Firewall-Wizards)
Re: [fw-wiz] PIX Failover Questions
... >Ethernet ports and 1 quad fastethernet card. ... >"Caution If Stateful Failover is enabled, the interface card and bus used ...
(Firewall-Wizards)