Re: [fw-wiz] PIX Failover Questions
From: Bruce Smith (bruce_the_loon_at_worldonline.co.za)
Date: 06/24/03
- Previous message: Shimon Silberschlag: "Re: [fw-wiz] Application Intelligent vs ALG"
- In reply to: Kevin Miller: "[fw-wiz] PIX Failover Questions"
- Next in thread: Brian Ford: "Re: [fw-wiz] PIX Failover Questions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Kevin Miller" <kmiller@inflow.com>, <firewall-wizards@honor.icsalabs.com> Date: Tue, 24 Jun 2003 10:01:28 +0200
Hi Kevin
Stateful Failover on the PIX is somewhat different to what you outline
below. With a properly configured stateful failover, a failure on a single
port will result in the traffic to that port being sent over the failover
Ethernet link and out the matching standby port on the other PIX. The ports
on the active PIX that haven't failed remain active, unlike a serial
failover where the whole PIX goes offline. Active state tables are
maintained over the link for instant switchover, but the requirement that
your failover link be as fast as your fastest interface is for when you
actually lose a port. If the active PIX itself fails, the standby will take
over all traffic through its interfaces as it would when using the serial
link.
The documentation for the PIX claims that the switchover of a single port
when using Ethernet failover can be done without disrupting active HTTP
sessions over the firewalls.
FYI, we don't use stateful failover, but just the serial. Our people don't
notice the delay when the cutover happens.
Regards
Bruce Smith
----- Original Message -----
From: "Kevin Miller" <kmiller@inflow.com>
To: <firewall-wizards@honor.icsalabs.com>
Sent: Monday, June 23, 2003 10:09 PM
Subject: [fw-wiz] PIX Failover Questions
> I currently have an HA pair of PIX 535s. Each 535 has 3 66mhz Gigabit
> Ethernet ports and 1 quad fastethernet card.
>
> I am wondering what is the difference between the stateful serial cable
and
> using an Ethernet cable for failover? From what I understand, the serial
> failover cable is used to sync the config between the pixes and the
Ethernet
> is used to sync the state tables. Is that correct?
>
> I was recently looking at a document located here
>
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63rnot
> es/pixrn63.htm
>
> Which states
> "Caution If Stateful Failover is enabled, the interface card and bus
used
> for the Stateful Failover LAN port must be equal to or faster than the
> fastest card used for the network interface ports. For example, if your
> inside and outside interfaces are PIX-1GE-66 cards installed in bus 0,
then
> your Stateful Failover interface must be a PIX-1GE-66 card installed in
bus
> 1. A PIX-1GE or PIX-1FE card cannot be used in this case, nor can a
> PIX-1GE-66 card be installed in bus 2 or share bus 1 with a slower card."
>
>
> Why is a gigabit interface required to sync the state table? How could
they
> possibly have that much info to sync? I would just like to use a fast
> ethernet port if possible.
>
> Thanks for any help
> Kevin
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Shimon Silberschlag: "Re: [fw-wiz] Application Intelligent vs ALG"
- In reply to: Kevin Miller: "[fw-wiz] PIX Failover Questions"
- Next in thread: Brian Ford: "Re: [fw-wiz] PIX Failover Questions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
