Re: [fw-wiz] Concentrator inside of paired failover firewalls.

Sorry...but something doesn't seem right about this.

First, I was under the impression that by *default*, the actual failover
cable (the green thing that comes with all PIX firewalls) was what the
PIX used to do failover. All the crossover cable or LAN connection did
was keep track of state information. If you didn't have a LAN cable to
do that, none of your failovers would be stateful. In other words, with
the LAN or crossover connection there, if a firewall dies in the middle
of a file download or something, it will basically pause for a second,
then the failover firewall will pick up where the primary left off (this
all assuming whatever is going on is TCP-based)...also assuming 6.3.x

So, what I'm getting at is that I believe the assertion that if your
crossover cable goes bad or whatever, making both firewalls think they
are the master, is wrong. That is the whole reason you have a
configuration in there that tells both firewalls to ignore the status on
that particular NIC...all it's used for is to transfer state back and
forth. If that NIC fails on either firewall, they don't keep switching
status(es)...the primary remains the primary, the failover remains the
failover...all you lose is the ability to do stateful TCP failover
(keeping your connections intact in the event of a device failure).

Crossover cable or LAN-based connection doesn't matter. It accomplishes
the same thing.

It says in that link:

"If the active unit fails, the standby unit takes over. The following
situations cause a failover to occur if they affect the active unit, but
not the standby unit:

•Network failure

•PIX Firewall hardware failure

•Power loss or reload

I interpret that to mean that if the SAME thing happens to both units,
they still continue to run as-is. If the cross-over cable goes bad,
that is a bad link on both firewalls. That means they still run as-is.
Pimary is active, failover is standby.

----- Original Message -----
From: Aaron Smith <smitha@xxxxxxxx>
Date: Friday, September 22, 2006 1:20 pm
Subject: Re: [fw-wiz] Concentrator inside of paired failover firewalls.
To: Firewall Wizards Security Mailing List

On Sun, 2006-09-17 at 16:35 -0700, Carson Gaspar wrote:
There are _zero_ reliable commercial HA solutions that will go
insane if
you use a cross-over cable and they both loose link at the same

So, PIX is not a reliable commercial solution then. OK.

you use 2 switches, and the trunk between them fails, both
devices think
they are "up" (yes, you can use multiple trunks, but you can use
x-overs as well - keep it apples to apples). If you use a cross-
over cable,
and it fails, both devices think they are "down". Any decent HA
system can
handle both failure modes.

Then PIX is also not a decent HA system. Great.

If an HA system _can't_ handle both failure
modes, it's crap and you shouldn't buy it.

PIX (using IP failover) is crap. I get it now.

As a final note, using a crossover cable with a PIX is very stupid.
you keep the pair in the same room then use the failover cable.
IP-based failover is useful if the PIX pair is geographically
separated,in which case they'd most likely be homed to different
switches. Which
was my initial point.

@@ron Smith
firewall-wizards mailing list

firewall-wizards mailing list