Firewall Wizards mailing list archives
Re: Hardware vs. Software firewall reliability
From: Chenggong Charles Fan <fan () rainfinity com>
Date: Fri, 17 Sep 1999 20:57:21 -0700
For FW-1, before version 4.1, the VPN encryption is not being shared by its State Sync Mechanism, so existing VPN sessions will be broken when a fail-over occurs. With 4.1, key is being synced, and fail-over will be transparent. We have tested Rainwall v1.3 with FW-1 v4.1, and VPN fail-over works. Both of them will be available in a couple of weeks. Charles Bill Stout wrote:
I suspect the answers are vendor-specific here. So why would a VPN not fail over? Current sessions should break, but should be no more interruption than temporary packet loss on the Internet. Rather than start a new VPN on failover, why not have two VPNs predefined and ready to accept connections once the IP address is failed over? Bill Stout -----Original Message----- From: Ryan Russell [mailto:Ryan.Russell () sybase com] Sent: Saturday, September 11, 1999 3:07 PM To: Aaron D. Turner Cc: Joe Ippolito; Franck Veysset; firewall-wizards () nfr net Subject: RE: Hardware vs. Software firewall reliabilityI thought the problem with H/A and VPN is only one of the firewalls can have the VPN "certificate". When the primary fails and the secondary takes over the remote site aborts the VPN because the secondary has the wrong cert. The fix is to manually update the certificates (or perhaps via a script). Beacuse, by default, FW-1 allows any established connection through, the state table of the secondary shouldn't become an issue. If FW-1 didn't allow that, all established connections would drop when the secondary took over.... And "established " only applies to TCP, and the VPN doesn't run over TCP. It runs over IP in IP. The problem is that FW-1's state sharing code always seems to lag behind the new features, so you get things like the VPN state not being shared even though it's been around for awhile. Ryan My Recipe - 20% Indonesian, 40% Dutch, 30% French, 10% Other. American born and damn proud of it. Indonesia - Replaced Dutch rule with a brutal Dictatorship in the name of 'Freedom'. I pray justice for their acts in East Timor will be just as brutal on them, and as surgical as possible.
Current thread:
- RE: Hardware vs. Software firewall reliability, (continued)
- RE: Hardware vs. Software firewall reliability Lart (Sep 11)
- Re: Hardware vs. Software firewall reliability Vin McLellan (Sep 09)
- RE: Hardware vs. Software firewall reliability Bill Stout (Sep 09)
- RE: Hardware vs. Software firewall reliability Ryan Russell (Sep 12)
- Tripwire like perl program Siglite (Sep 14)
- RE: Hardware vs. Software firewall reliability dwelch (Sep 14)
- RE: Hardware vs. Software firewall reliability Joe Ippolito (Sep 14)
- RE: Hardware vs. Software firewall reliability Bill Stout (Sep 14)
- RE: Hardware vs. Software firewall reliability Tina Bird (Sep 18)
- RE: Hardware vs. Software firewall reliability Joe Ippolito (Sep 18)
- Re: Hardware vs. Software firewall reliability Chenggong Charles Fan (Sep 18)
- RE: Hardware vs. Software firewall reliability dwelch (Sep 18)
- RE: Hardware vs. Software firewall reliability Garrahan, Kelvin (Sep 18)