Re: PIX stateful configuration

Daniel Crichton Thu, 06 Jul 2000 02:20:36 -0700
On 6 Jul 2000, at 10:34, [EMAIL PROTECTED] wrote:

> I intend to  replace our existing non PIX FW-System by a PIX-515 stateful
> failover configuration. By reading the Cisco docu I found the possibility to
> build a failover configuration consisting of two PIX-515 connected over a fast
> ethernet link for passing state information.

I've got one of these - a 515-UR with failover. But the failover has to be 
connected by the custom Cisco cable, it's not something that can be done 
over ethernet (unless they've changed the hardware).
 
> Can anyone tell me:
> .  if the failover really does as documented especially how much time - they
> wrote 15 to 45 seconds - 
>    the standby unit really need to take a switchover,

The one time we've had a failure (IP conflict) it took about 30 seconds for it 
switch over, maybe less.
 
> .  is it noticeable  how much performance overhead the primary unit needs to
> pass the state information to       
>    the standby unit, 

Not noticed anything. Then again the 515-UR is supposed to handle 
170Mbps and we only have a 100Mbps network.
 
> .  and what applications are not handeled if a failover occurs.

When failover occurs the backup PIX is an exact duplicate of the primary PIX 
at the last update it received. Only a few connections may be lost, but we 
didn't notice these on our PIX when it switched.

What you need to be very careful of is taking out both PIX's. We have 
managed this - one of our IT guys set up a new PC with the same internal IP 
address as the primary PIX so it went down, the failover kicked in and 
changed it's settings to match the primary, so it went down as well. We 
turned off the new PC, restarted both PIX, and kicked the IT guy :) Total 
downtime of about 2 minutes.

Dan

---
D.C. Crichton                 email: [EMAIL PROTECTED]
Senior Systems Analyst        tel:   +44 (0)121 706 6000
Computer Manuals Ltd.         fax:   +44 (0)121 606 0477

Computer book info on the web:
   http://computer-manuals.co.uk/
Want to earn money? Join our affiliate scheme!
   http://computer-manuals.co.uk/affiliate/
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
Re: PIX stateful configuration

Reply via email to
