Re: [fw-wiz] PIX stateful failover and separate external circuits



Well, the only requirement to do stateful failover on a PIX is to have
an interface dedicated to stateful statistics, so if that one of the
devices does fail, the other has a copy of all traffic that was being
processed. In the documentation, they tell you to use a connection to a
switch from an extra interface on each PIX. I personally always use a
crossover cable going directly between the two devices into eth5 or
something. Assign each interface an ip address, then in the config tell
the PIXes to use that interface as the stateful statistics one. This
assuming a PIX 515E.

But, if you are only using the green (or black) failover cable, the
provider is right, you will only have stateless failover. One device
fails, all your connections will drop, and all the clients will have to
reconnect. With stateful like I described in the previous paragraph, if
one devices fails, there will be a pause in traffic, and it should pick
up where it left off.

http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml

You'll probably need a Cisco CCO login.


Florin Andrei wrote:

I've a pair of PIX fw's (OS ver 7.2) in a failover configuration. The
two external interfaces are connected to the provider on two separate
circuits.

The provider claims that in such a configuration, stateful failover will
not work (the PIXes will do stateless failover), and we need to hook up
a switch (or a pair of switches) between the two firewalls and the two
circuits to enable stateful failover.

Somehow that doesn't sound right to me, but I cannot prove it, nor
disprove it. Anybody knows what the real answer is? A link to some
document that has the details to support the answer would be great, too.

Thanks,




_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: [fw-wiz] PIX Failover Questions
    ... > Ethernet ports and 1 quad fastethernet card. ... > is used to sync the state tables. ... > "Caution If Stateful Failover is enabled, the interface card and bus used ... > fastest card used for the network interface ports. ...
    (Firewall-Wizards)
  • Re: Interesting problem with pix 515 UR
    ... Consider diabling Proxy arp on inside interface. ... This pix have only 2 ethernet interfaces; i have connected the ethernet0via a cross cable ... fixup protocol dns maximum-length 512 ... ntp server 194.100.206.70 source outside ...
    (comp.dcom.sys.cisco)
  • Interesting problem with pix 515 UR
    ... This pix have only 2 ethernet interfaces; i have connected the ethernet0via a cross cable ... interface FastEthernet0/21 ... fixup protocol dns maximum-length 512 ... ntp server 194.100.206.70 source outside ...
    (comp.dcom.sys.cisco)
  • Re: One internal network, VPN, 2 PIX
    ... all I can ping is the internal interface on the PIX that I'm VPN'ing in to. ... Do I need to add ACL's into the Corp PIX to allow the VPN traffic (I already ... the 192.168.200.* inside hosts, the inside hosts are going to ... so the interior hosts send responses to the 501); ...
    (comp.dcom.sys.cisco)
  • [fw-wiz] Double firewall setup (long)
    ... One PIX 515E w/ 3 interfaces: inside, outside, DMZ. ... access-list OUTB permit tcp 10.181.8.0 255.255.248.0 any eq www ... interface ethernet0 auto ...
    (Firewall-Wizards)