Re: [fw-wiz] Concentrator inside of paired failover firewalls.

From: Aaron Smith <smitha@xxxxxxxx>
Date: Thu, 21 Sep 2006 11:44:21 -0600

On Sun, 2006-09-17 at 16:35 -0700, Carson Gaspar wrote:

There are _zero_ reliable commercial HA solutions that will go insane if
you use a cross-over cable and they both loose link at the same time.

So, PIX is not a reliable commercial solution then. OK.

If
you use 2 switches, and the trunk between them fails, both devices think
they are "up" (yes, you can use multiple trunks, but you can use multiple
x-overs as well - keep it apples to apples). If you use a cross-over cable,
and it fails, both devices think they are "down". Any decent HA system can
handle both failure modes.

Then PIX is also not a decent HA system. Great.

If an HA system _can't_ handle both failure
modes, it's crap and you shouldn't buy it.

PIX (using IP failover) is crap. I get it now.

As a final note, using a crossover cable with a PIX is very stupid. If
you keep the pair in the same room then use the failover cable.
IP-based failover is useful if the PIX pair is geographically separated,
in which case they'd most likely be homed to different switches. Which
was my initial point.

@@ron Smith
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Follow-Ups:
- Re: [fw-wiz] Concentrator inside of paired failover firewalls.
  - From: vbwilliams

References:
- Re: [fw-wiz] Concentrator inside of paired failover firewalls.
  - From: Aaron Smith
- Re: [fw-wiz] Concentrator inside of paired failover firewalls.
  - From: Carson Gaspar
- Re: [fw-wiz] Concentrator inside of paired failover firewalls.
  - From: Aaron Smith
- Re: [fw-wiz] Concentrator inside of paired failover firewalls.
  - From: Carson Gaspar

Prev by Date: Re: [fw-wiz] VPN LAN to LAN
Next by Date: [fw-wiz] Running script containing fw tab commands on Nokia ipso out of cron
Previous by thread: Re: [fw-wiz] Concentrator inside of paired failover firewalls.
Next by thread: Re: [fw-wiz] Concentrator inside of paired failover firewalls.
Index(es):
- Date
- Thread

Relevant Pages

Re: Pix fail-over questions
... Cisco PIX: Failover Demystified ... How to replace the primary PIX Firewall in a failover environment PIX ... secondarypix # show failover ...
(comp.dcom.sys.cisco)
[fw-wiz] pix firewall - failover and logging issues
... I have two questions about pix firewall for the list. ... The first one is directed to failover users. ...
(Firewall-Wizards)
Re: [fw-wiz] RE: PIX FW Failover & Hello Packet
... Note you cannot configure failover if the units are not absolutely ... The hello packets are sent over all interfaces every 15 seconds, ... If the switch detects a bridge loop it will ... missed by the failover pix. ...
(Firewall-Wizards)
Re: Pix fail-over questions
... Cisco PIX: Failover Demystified ... If that's the case then how do you ever upgrade the code or RAM ... This would definitely cause downtime due to the state table being lost ...
(comp.dcom.sys.cisco)
Re: Failover Clarification
... - the backup must be able to distinguish between primary failure and failure of the communications path to the primary. ... The special PIX serial cable is designed to do number 1 keeping ... Stateful failover requires number 2 which in turn ...
(comp.dcom.sys.cisco)