Firewall Wizards mailing list archives
Re: Concentrator inside of paired failover firewalls.
From: vbwilliams () neb rr com
Date: Fri, 22 Sep 2006 15:29:01 -0500
Sorry...but something doesn't seem right about this. First, I was under the impression that by *default*, the actual failover cable (the green thing that comes with all PIX firewalls) was what the PIX used to do failover. All the crossover cable or LAN connection did was keep track of state information. If you didn't have a LAN cable to do that, none of your failovers would be stateful. In other words, with the LAN or crossover connection there, if a firewall dies in the middle of a file download or something, it will basically pause for a second, then the failover firewall will pick up where the primary left off (this all assuming whatever is going on is TCP-based)...also assuming 6.3.x codeset. So, what I'm getting at is that I believe the assertion that if your crossover cable goes bad or whatever, making both firewalls think they are the master, is wrong. That is the whole reason you have a configuration in there that tells both firewalls to ignore the status on that particular NIC...all it's used for is to transfer state back and forth. If that NIC fails on either firewall, they don't keep switching status(es)...the primary remains the primary, the failover remains the failover...all you lose is the ability to do stateful TCP failover (keeping your connections intact in the event of a device failure). Crossover cable or LAN-based connection doesn't matter. It accomplishes the same thing. http://www.cisco.com/en/US/customer/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278a.html It says in that link: "If the active unit fails, the standby unit takes over. The following situations cause a failover to occur if they affect the active unit, but not the standby unit: •Network failure •PIX Firewall hardware failure •Power loss or reload " I interpret that to mean that if the SAME thing happens to both units, they still continue to run as-is. If the cross-over cable goes bad, that is a bad link on both firewalls. That means they still run as-is. Pimary is active, failover is standby. ----- Original Message ----- From: Aaron Smith <smitha () byui edu> Date: Friday, September 22, 2006 1:20 pm Subject: Re: [fw-wiz] Concentrator inside of paired failover firewalls. To: Firewall Wizards Security Mailing List <firewall-wizards () listserv cybertrust com>
On Sun, 2006-09-17 at 16:35 -0700, Carson Gaspar wrote:There are _zero_ reliable commercial HA solutions that will goinsane ifyou use a cross-over cable and they both loose link at the sametime. So, PIX is not a reliable commercial solution then. OK.If you use 2 switches, and the trunk between them fails, bothdevices thinkthey are "up" (yes, you can use multiple trunks, but you can usemultiplex-overs as well - keep it apples to apples). If you use a cross-over cable,and it fails, both devices think they are "down". Any decent HAsystem canhandle both failure modes.Then PIX is also not a decent HA system. Great.If an HA system _can't_ handle both failure modes, it's crap and you shouldn't buy it.PIX (using IP failover) is crap. I get it now. As a final note, using a crossover cable with a PIX is very stupid. If you keep the pair in the same room then use the failover cable. IP-based failover is useful if the PIX pair is geographically separated,in which case they'd most likely be homed to different switches. Which was my initial point. @@ron Smith _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Concentrator inside of paired failover firewalls. Horvath, Kevin M. (Sep 13)
- Re: Concentrator inside of paired failover firewalls. Aaron Smith (Sep 14)
- Re: Concentrator inside of paired failover firewalls. Carson Gaspar (Sep 14)
- Re: Concentrator inside of paired failover firewalls. Aaron Smith (Sep 17)
- Re: Concentrator inside of paired failover firewalls. Carson Gaspar (Sep 19)
- Re: Concentrator inside of paired failover firewalls. Aaron Smith (Sep 22)
- Re: Concentrator inside of paired failover firewalls. vbwilliams (Sep 23)
- Re: Concentrator inside of paired failover firewalls. Carson Gaspar (Sep 14)
- Re: Concentrator inside of paired failover firewalls. Aaron Smith (Sep 14)
- Re: Concentrator inside of paired failover firewalls. Aaron Smith (Sep 17)