Firewall Wizards mailing list archives

Re: PIX Failover Questions

From: Dave Rinker <firewall () dsrtech com>
Date: 23 Jun 2003 19:41:02 -0400


Your findings are correct. We recently went through the same question
and answer and Cisco recommends just as stated below. Supposedly The
stateful failover must maintain every connection with the exception of
HTTP traffic which makes the requirement equal to the fastest link.

I must say we've test failed our dual 525(s) and it works wonderfully.




On Mon, 2003-06-23 at 16:09, Kevin Miller wrote:

I currently have an HA pair of PIX 535s.  Each 535 has 3 66mhz Gigabit
Ethernet ports and 1 quad fastethernet card.  

I am wondering what is the difference between the stateful serial cable and
using an Ethernet cable for failover?  From what I understand, the serial
failover cable is used to sync the config between the pixes and the Ethernet
is used to sync the state tables.  Is that correct?    

I was recently looking at a document located here  
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63rnot
es/pixrn63.htm

Which states 
"Caution   If Stateful Failover is enabled, the interface card and bus used
for the Stateful Failover LAN port must be equal to or faster than the
fastest card used for the network interface ports. For example, if your
inside and outside interfaces are PIX-1GE-66 cards installed in bus 0, then
your Stateful Failover interface must be a PIX-1GE-66 card installed in bus
1. A PIX-1GE or PIX-1FE card cannot be used in this case, nor can a
PIX-1GE-66 card be installed in bus 2 or share bus 1 with a slower card."


Why is a gigabit interface required to sync the state table?  How could they
possibly have that much info to sync?  I would just like to use a fast
ethernet port if possible.    

Thanks for any help
Kevin

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

PIX Failover Questions Kevin Miller (Jun 23)
- Re: PIX Failover Questions Dave Rinker (Jun 24)
- Re: PIX Failover Questions Bruce Smith (Jun 24)
- <Possible follow-ups>
- Re: PIX Failover Questions Brian Ford (Jun 26)