Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Hardware vs. Software firewall reliability

From: "Ryan Russell" <Ryan.Russell () sybase com>
Date: Sat, 11 Sep 1999 15:06:58 -0700




I thought the problem with H/A and VPN is only one of the firewalls
can have the VPN "certificate".  When the primary fails and the
secondary takes over the remote site aborts the VPN because the
secondary has the wrong cert.  The fix is to manually update the
certificates (or perhaps via a script).

Beacuse, by default, FW-1 allows any established connection through,
the state table of the secondary shouldn't become an issue.  If FW-1
didn't allow that, all established connections would drop when the
secondary took over.


... And "established " only applies to TCP, and the VPN doesn't
run over TCP.  It runs over IP in IP.  The problem is that FW-1's
state sharing code always seems to lag behind the new features,
so you get things like the VPN state not being shared even though it's
been around for awhile.

                         Ryan
Previous By Date Next
Previous By Thread Next

Current thread: