Firewall Wizards mailing list archives

Re: PIX Failover Questions

From: "Bruce Smith" <bruce_the_loon () worldonline co za>
Date: Tue, 24 Jun 2003 10:01:28 +0200

Hi Kevin

Stateful Failover on the PIX is somewhat different to what you outline
below. With a properly configured stateful failover, a failure on a single
port will result in the traffic to that port being sent over the failover
Ethernet link and out the matching standby port on the other PIX. The ports
on the active PIX that haven't failed remain active, unlike a serial
failover where the whole PIX goes offline. Active state tables are
maintained over the link for instant switchover, but the requirement that
your failover link be as fast as your fastest interface is for when you
actually lose a port. If the active PIX itself fails, the standby will take
over all traffic through its interfaces as it would when using the serial
link.

The documentation for the PIX claims that the switchover of a single port
when using Ethernet failover can be done without disrupting active HTTP
sessions over the firewalls.

FYI, we don't use stateful failover, but just the serial. Our people don't
notice the delay when the cutover happens.

Regards

Bruce Smith

----- Original Message -----
From: "Kevin Miller" <kmiller () inflow com>
To: <firewall-wizards () honor icsalabs com>
Sent: Monday, June 23, 2003 10:09 PM
Subject: [fw-wiz] PIX Failover Questions

I currently have an HA pair of PIX 535s.  Each 535 has 3 66mhz Gigabit
Ethernet ports and 1 quad fastethernet card.

I am wondering what is the difference between the stateful serial cable

and

using an Ethernet cable for failover?  From what I understand, the serial
failover cable is used to sync the config between the pixes and the

Ethernet

is used to sync the state tables.  Is that correct?

I was recently looking at a document located here

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63rnot

es/pixrn63.htm

Which states
"Caution   If Stateful Failover is enabled, the interface card and bus

used

for the Stateful Failover LAN port must be equal to or faster than the
fastest card used for the network interface ports. For example, if your
inside and outside interfaces are PIX-1GE-66 cards installed in bus 0,

then

your Stateful Failover interface must be a PIX-1GE-66 card installed in

bus

1. A PIX-1GE or PIX-1FE card cannot be used in this case, nor can a
PIX-1GE-66 card be installed in bus 2 or share bus 1 with a slower card."


Why is a gigabit interface required to sync the state table?  How could

they

possibly have that much info to sync?  I would just like to use a fast
ethernet port if possible.

Thanks for any help
Kevin

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

PIX Failover Questions Kevin Miller (Jun 23)
- Re: PIX Failover Questions Dave Rinker (Jun 24)
- Re: PIX Failover Questions Bruce Smith (Jun 24)
- <Possible follow-ups>
- Re: PIX Failover Questions Brian Ford (Jun 26)