Re: [fw-wiz] PIX stateful failover and separate external circuits

Well, the only requirement to do stateful failover on a PIX is to have
an interface dedicated to stateful statistics, so if that one of the
devices does fail, the other has a copy of all traffic that was being
processed. In the documentation, they tell you to use a connection to a
switch from an extra interface on each PIX. I personally always use a
crossover cable going directly between the two devices into eth5 or
something. Assign each interface an ip address, then in the config tell
the PIXes to use that interface as the stateful statistics one. This
assuming a PIX 515E.

But, if you are only using the green (or black) failover cable, the
provider is right, you will only have stateless failover. One device
fails, all your connections will drop, and all the clients will have to
reconnect. With stateful like I described in the previous paragraph, if
one devices fails, there will be a pause in traffic, and it should pick
up where it left off.

You'll probably need a Cisco CCO login.

Florin Andrei wrote:

I've a pair of PIX fw's (OS ver 7.2) in a failover configuration. The
two external interfaces are connected to the provider on two separate

The provider claims that in such a configuration, stateful failover will
not work (the PIXes will do stateless failover), and we need to hook up
a switch (or a pair of switches) between the two firewalls and the two
circuits to enable stateful failover.

Somehow that doesn't sound right to me, but I cannot prove it, nor
disprove it. Anybody knows what the real answer is? A link to some
document that has the details to support the answer would be great, too.


firewall-wizards mailing list