Hi, I have two PIX FW 520-UR. They are connected via fail-over cable (proprietary Cisco cable), and they're connected via cross-overed patch-cord (they both have dedicated interfaces, it makes sth. described as statefull-failover). PIXes have their own addresses, and if the active one fails-the other takes over. If you have statefull-failover configuration the whole process is invisible for others-all connections are (or should be) preserved. I do some tests on regular basis (plug off one PIX, or switch from the passive to active) and I didn't noticed any interruption in tcp connections. I had only one problem: when I upgraded my PIXes from sw ver. 5.0 to 5.1(2). I'd upgraded one of them (passive one), and then I got millions errors... I had to activate passive PIX, immediately switch off from the network the one that was active before, and upgrade it. And then I connected it to network... I took me about 5 mins, and did feel very stressed.... :))) > Hi, > > I intend to replace our existing non PIX FW-System by a PIX-515 stateful failover >configuration. > By reading the Cisco docu I found the possibility to build a failover configuration >consisting of two > PIX-515 connected over a fast ethernet link for passing state information. > > Can anyone tell me: > . if the failover really does as documented especially how much time - they wrote >15 to 45 seconds - > the standby unit really need to take a switchover, > > . is it noticeable how much performance overhead the primary unit needs to pass >the state information to > the standby unit, > > . and what applications are not handeled if a failover occurs. > > > Thank You ______________________________________________________________________ | Arkadiusz Majer /\/\ | | TP Internet, WAN Administrator /\\ //\ | | office: +48 22 8509050 / / \/ \ \ | | fax: +48 22 8509051 \ \ /\ / / | | mobile (in case of national emergency): +48 501 393891 \// \\/ | |___________________________________________________________\/\/_____| - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
