Firewall Wizards mailing list archives

Re: PIX Failover Questions

From: Brian Ford <brford () cisco com>
Date: Thu, 26 Jun 2003 08:27:46 -0400

Kevin,

Please see in line.

At 09:41 AM 6/24/2003 -0400, firewall-wizards-request () honor icsalabs com wrote:

Message: 9
From: Kevin Miller <kmiller () inflow com>

To: "'firewall-wizards () honor icsalabs com'"<firewall-wizards () honor icsalabs com>

Date: Mon, 23 Jun 2003 14:09:39 -0600
Subject: [fw-wiz] PIX Failover Questions

I currently have an HA pair of PIX 535s.  Each 535 has 3 66mhz Gigabit
Ethernet ports and 1 quad fastethernet card.

I am wondering what is the difference between the stateful serial cable and
using an Ethernet cable for failover?  From what I understand, the serial
failover cable is used to sync the config between the pixes and the Ethernet
is used to sync the state tables.  Is that correct?

Technically you can do i all with just the Ethernet fail over cable. Ifused together (serial and Ethernet) both still work and you get betteridentification and resolution (i.e. fail over) when there is a power failure.

I was recently looking at a document located here
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63rnot
es/pixrn63.htm

Which states
"Caution   If Stateful Failover is enabled, the interface card and bus used
for the Stateful Failover LAN port must be equal to or faster than the
fastest card used for the network interface ports. For example, if your
inside and outside interfaces are PIX-1GE-66 cards installed in bus 0, then
your Stateful Failover interface must be a PIX-1GE-66 card installed in bus
1. A PIX-1GE or PIX-1FE card cannot be used in this case, nor can a
PIX-1GE-66 card be installed in bus 2 or share bus 1 with a slower card."


Why is a gigabit interface required to sync the state table?  How could they
possibly have that much info to sync?  I would just like to use a fast
ethernet port if possible.

This raises the issue of "stateful failover". When stateful failover isconfigured the two PIXen maintain a common state table. If one PIX goesdown the failover takes over with minimal translation and connectionloss. The caution refers to the fact that maintaining the state betweenPIXen requires moving data. If your configuration / design requires yourPIX maintain (builds and tears down) many connections and translations persecond; you'll need to make sure you have adequate bandwidth between thePIXen to pass the information. I've seen well loaded PIXen with GigE thattried to do stateful failover over a 100 Mbps channel and sometimes thePIXen get out of sync or the failover timers cannot be tuned down.

As a (my own) rule if you are designing a PIX with GigE on the inside andoutside because you are expecting that sort of throughput; you shouldconfigure a third GigE card for failover.

Thanks for any help
Kevin

Liberty for All,

Brian


Brian Ford
Consulting Engineer
Corporate Consulting Engineering, Office of the Chief Technology Officer
Cisco Systems, Inc.
http://www.cisco.com
e-mail: brford () cisco com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

PIX Failover Questions Kevin Miller (Jun 23)
- Re: PIX Failover Questions Dave Rinker (Jun 24)
- Re: PIX Failover Questions Bruce Smith (Jun 24)
- <Possible follow-ups>
- Re: PIX Failover Questions Brian Ford (Jun 26)