actually......... no?? When I was doing a spec for failover on PIX I'm practically sure that state was passed between the boxes.
The serial cable and network cable connecting them is used for this. from the link: http://www.cisco.com/warp/customer/110/failover.html#state Stateful Failover Without retaining PIX stateful information, after a switchover all existing connections are dropped and the application is required to reinitiate. In the PIX Software 5.0 release, PIX provides stateful failover so that existing connection can stay up after a switchover. To support the stateful failover, a dedicated LAN interface between the two PIX devices is required. The Logical Update (LU) is the software module that provides transport to PIX applications supporting stateful failover. The state update occurs from the active to standby through the LAN interface. The state update sent to the standby PIX is triggered by the application. The LU transport is UDP-like, with no retransmission and no blocking applications to delay normal packet processing. The state update packets are transmitted asynchronously in the background. Nevertheless, the LU protocol is real-time, and it provides error notification and reports missing state updates for monitoring purposes. Initial state synchronization is performed after configuration replication. This is done by walking through the translation and connection table records. After that, a state update may be triggered. PIX address translation (xlate, static and dynamic) and connection (conn) records are essential state data, and are passed to the standby unit from the active unit along with other state information. Since failover can not be prescheduled, the state update for the connection is packet-based. This means every packet passes through the PIX and changes the state of a connection, which may trigger a state update. TCP state tables, with the exception of port 80 (HTTP), are transferred. Most UDP state tables are not transferred, with the exception of dynamically opened ports corresponding to multi-channel protocols such as H.323. So, DNS resolves are not transferred as it is a single channel port. There are applications that are latency sensitive, and in some cases the application times out before the failover sequence is completed. In these cases, the application must reestablish the session. Stateful failover does not yet support Long Distance State Sharing (LDSS). So PIX can be stateful when properly configured - or did I miss something in the thread?? Kevin Wigle ----- Original Message ----- From: "Circusnuts" To: Sent: Monday, 19 November, 2001 22:11 Subject: Re: Is Pix failover can be Load balancer ? [7:26673] > Be careful how you load balance. Unlike the Check Point's stateful setup, > Pix does not maintain state on both boxes, when running as parallel devices. > Also- the purchase agreement and software are for primary and failover > units. There is a sizable discount applied to the failover Pix. The state > issue means some sort of hash must be passed between the load balancers > sandwiching the Pix's. This hash ensures sourced traffic returns to the > same firewall that the session created state in. > > Make sense ??? > Phil > > ----- Original Message ----- > From: "nrf" > To: > Sent: Monday, November 19, 2001 9:45 PM > Subject: Re: Is Pix failover can be Load balancer ? [7:26673] > > > > You need to get yourself some real load-balancers (i.e. CSS, F5 BigIP, > > Foundry ServerIron, Alteon Acedirector, etc.) and make yourself a > "firewall > > sandwich". Mmmm, tasty. > > > > > > > > > > > > > > ""Sivarajan Thiruvadi"" wrote in message > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > Hi Pals > > > > > > I wish to know wheather 2 cisco pix firewalls can be configured for > > > redundancy > > > as well as Load balancing. > > > > > > In general failover means in case of active PIX fails the stand by one > > will > > > come into line. > > > But my customer wants FWLB (Fire wall load balancing). > > > If any one has idea on this please help me. > > > > > > Thanks and regards > > > Siva Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=26793&t=26673 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
