Firewall Wizards mailing list archives

Re: PIX stateful failover and separate external circuits

From: Paul Murphy <Paul_Murphy () fd org>
Date: Thu, 15 Feb 2007 08:14:39 -0600

I would assume that your two ISP circuits have different IP address
assignments?  If so, I do not believe that the PIX can failover connection
states to an Interface with a different IP address than the original.

Thanks,

Paul Murphy




                                                                           
             Florin Andrei                                                 
             <florin () andrei my                                             
             ip.org>                                                    To 
             Sent by:                  firewall-wizards@listserv.icsalabs. 
             firewall-wizards-         com                                 
             bounces@listserv.                                          cc 
             icsalabs.com                                                  
                                                                   Subject 
                                       [fw-wiz] PIX stateful failover and  
             02/14/2007 05:36          separate external circuits          
             PM                                                            
                                                                           
                                                                           
             Please respond to                                             
             firewall-wizards@                                             
             listserv.icsalabs                                             
                   .com                                                    
                                                                           
                                                                           




I've a pair of PIX fw's (OS ver 7.2) in a failover configuration. The
two external interfaces are connected to the provider on two separate
circuits.

The provider claims that in such a configuration, stateful failover will
not work (the PIXes will do stateless failover), and we need to hook up
a switch (or a pair of switches) between the two firewalls and the two
circuits to enable stateful failover.

Somehow that doesn't sound right to me, but I cannot prove it, nor
disprove it. Anybody knows what the real answer is? A link to some
document that has the details to support the answer would be great, too.

Thanks,

--
Florin Andrei

http://florin.myip.org/
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

PIX stateful failover and separate external circuits Florin Andrei (Feb 14)
- Re: PIX stateful failover and separate external circuits Victor Williams (Feb 15)
- Re: PIX stateful failover and separate external circuits James Burns (Feb 15)
  - Re: PIX stateful failover and separate external circuits Florin Andrei (Feb 16)
- Re: PIX stateful failover and separate external circuits Paul Murphy (Feb 15)