Re: [fw-wiz] PIX Failover Questions
From: Brian Ford (brford_at_cisco.com)
Date: 06/26/03
- Previous message: Paul Armstrong: "Re: [fw-wiz] Blocking Kazaa"
- Maybe in reply to: Kevin Miller: "[fw-wiz] PIX Failover Questions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: firewall-wizards@honor.icsalabs.com Date: Thu, 26 Jun 2003 08:27:46 -0400
Kevin,
Please see in line.
At 09:41 AM 6/24/2003 -0400, firewall-wizards-request@honor.icsalabs.com wrote:
>Message: 9
>From: Kevin Miller <kmiller@inflow.com>
>To: "'firewall-wizards@honor.icsalabs.com'"
><firewall-wizards@honor.icsalabs.com>
>Date: Mon, 23 Jun 2003 14:09:39 -0600
>Subject: [fw-wiz] PIX Failover Questions
>
>I currently have an HA pair of PIX 535s. Each 535 has 3 66mhz Gigabit
>Ethernet ports and 1 quad fastethernet card.
>
>I am wondering what is the difference between the stateful serial cable and
>using an Ethernet cable for failover? From what I understand, the serial
>failover cable is used to sync the config between the pixes and the Ethernet
>is used to sync the state tables. Is that correct?
Technically you can do i all with just the Ethernet fail over cable. If
used together (serial and Ethernet) both still work and you get better
identification and resolution (i.e. fail over) when there is a power failure.
>I was recently looking at a document located here
>http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63rnot
>es/pixrn63.htm
>
>Which states
>"Caution If Stateful Failover is enabled, the interface card and bus used
>for the Stateful Failover LAN port must be equal to or faster than the
>fastest card used for the network interface ports. For example, if your
>inside and outside interfaces are PIX-1GE-66 cards installed in bus 0, then
>your Stateful Failover interface must be a PIX-1GE-66 card installed in bus
>1. A PIX-1GE or PIX-1FE card cannot be used in this case, nor can a
>PIX-1GE-66 card be installed in bus 2 or share bus 1 with a slower card."
>
>
>Why is a gigabit interface required to sync the state table? How could they
>possibly have that much info to sync? I would just like to use a fast
>ethernet port if possible.
This raises the issue of "stateful failover". When stateful failover is
configured the two PIXen maintain a common state table. If one PIX goes
down the failover takes over with minimal translation and connection
loss. The caution refers to the fact that maintaining the state between
PIXen requires moving data. If your configuration / design requires your
PIX maintain (builds and tears down) many connections and translations per
second; you'll need to make sure you have adequate bandwidth between the
PIXen to pass the information. I've seen well loaded PIXen with GigE that
tried to do stateful failover over a 100 Mbps channel and sometimes the
PIXen get out of sync or the failover timers cannot be tuned down.
As a (my own) rule if you are designing a PIX with GigE on the inside and
outside because you are expecting that sort of throughput; you should
configure a third GigE card for failover.
>Thanks for any help
>Kevin
Liberty for All,
Brian
Brian Ford
Consulting Engineer
Corporate Consulting Engineering, Office of the Chief Technology Officer
Cisco Systems, Inc.
http://www.cisco.com
e-mail: brford@cisco.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Paul Armstrong: "Re: [fw-wiz] Blocking Kazaa"
- Maybe in reply to: Kevin Miller: "[fw-wiz] PIX Failover Questions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
