Re: [fw-wiz] PIX stateful failover and separate external circuits

---

• From: Paul Murphy <Paul_Murphy@xxxxxx>
• Date: Thu, 15 Feb 2007 08:14:39 -0600

---

I would assume that your two ISP circuits have different IP address
assignments? If so, I do not believe that the PIX can failover connection
states to an Interface with a different IP address than the original.

Thanks,

Paul Murphy





Florin Andrei
<florin@xxxxxxxxx
ip.org> To
Sent by: firewall-wizards@xxxxxxxxxxxxxxxxxx
firewall-wizards- com
bounces@listserv. cc
icsalabs.com
Subject
[fw-wiz] PIX stateful failover and
02/14/2007 05:36 separate external circuits
PM


Please respond to
firewall-wizards@
listserv.icsalabs
.com






I've a pair of PIX fw's (OS ver 7.2) in a failover configuration. The
two external interfaces are connected to the provider on two separate
circuits.

The provider claims that in such a configuration, stateful failover will
not work (the PIXes will do stateless failover), and we need to hook up
a switch (or a pair of switches) between the two firewalls and the two
circuits to enable stateful failover.

Somehow that doesn't sound right to me, but I cannot prove it, nor
disprove it. Anybody knows what the real answer is? A link to some
document that has the details to support the answer would be great, too.

Thanks,

--
Florin Andrei

http://florin.myip.org/
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

---

• References:
  • [fw-wiz] PIX stateful failover and separate external circuits
    • From: Florin Andrei

• Prev by Date: Re: [fw-wiz] PIX stateful failover and separate external circuits
• Next by Date: Re: [fw-wiz] firewall-wizards Digest, Vol 10, Issue 9
• Previous by thread: Re: [fw-wiz] PIX stateful failover and separate external circuits
• Next by thread: Re: [fw-wiz] firewall-wizards Digest, Vol 10, Issue 9
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Pix fail-over questions ... Cisco PIX: Failover Demystified ... How to replace the primary PIX Firewall in a failover environment PIX ... secondarypix # show failover ... (comp.dcom.sys.cisco) [fw-wiz] pix firewall - failover and logging issues ... I have two questions about pix firewall for the list. ... The first one is directed to failover users. ... (Firewall-Wizards) Re: [fw-wiz] RE: PIX FW Failover & Hello Packet ... Note you cannot configure failover if the units are not absolutely ... The hello packets are sent over all interfaces every 15 seconds, ... If the switch detects a bridge loop it will ... missed by the failover pix. ... (Firewall-Wizards) Re: Pix fail-over questions ... Cisco PIX: Failover Demystified ... If that's the case then how do you ever upgrade the code or RAM ... This would definitely cause downtime due to the state table being lost ... (comp.dcom.sys.cisco) Re: Failover Clarification ... - the backup must be able to distinguish between primary failure and failure of the communications path to the primary. ... The special PIX serial cable is designed to do number 1 keeping ... Stateful failover requires number 2 which in turn ... (comp.dcom.sys.cisco)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > Firewall-Wizards  > 2007-02