Sorry Kevin- what I meant to speak to was "clustering" and not failover. Yes- Pix's are designed to failover and the standby device is a replicated backup, running in parallel by a very expensive cable (something like $250 for that cable). If I'm not mistaken, the Pix fail time is 15 seconds. The Firewall 1 Nokia IP530's we tested had the ability to load share across the cluster and maintain state between all firewalls . Asymmetrical routing is supported and no one device offers a single point of failure. Cisco uses the primary and backup (or hot standby), but makes up for the cluster by producing boxes so wicked fast that you only need one running @ a time.
The original post was about balancing two Pix's and the Pix to date needs something like the Cisco/ ArrowPoint CSS, Radware Fireproof, BigIP, Rainfinity, or StoneSoft to control which firewall each user sessions will traverse. All the best !!! Phil ----- Original Message ----- From: "Kevin Wigle" To: "Circusnuts" ; Sent: Monday, November 19, 2001 10:54 PM Subject: Re: Is Pix failover can be Load balancer ? [7:26673] > actually......... no?? > > When I was doing a spec for failover on PIX I'm practically sure that state > was passed between the boxes. > > The serial cable and network cable connecting them is used for this. > > from the link: http://www.cisco.com/warp/customer/110/failover.html#state > > Stateful Failover > Without retaining PIX stateful information, after a switchover all existing > connections are dropped and the application is required to reinitiate. In > the PIX Software 5.0 release, PIX provides stateful failover so that > existing connection can stay up after a switchover. > > To support the stateful failover, a dedicated LAN interface between the two > PIX devices is required. The Logical Update (LU) is the software module that > provides transport to PIX applications supporting stateful failover. The > state update occurs from the active to standby through the LAN interface. > The state update sent to the standby PIX is triggered by the application. > The LU transport is UDP-like, with no retransmission and no blocking > applications to delay normal packet processing. The state update packets are > transmitted asynchronously in the background. Nevertheless, the LU protocol > is real-time, and it provides error notification and reports missing state > updates for monitoring purposes. > > Initial state synchronization is performed after configuration replication. > This is done by walking through the translation and connection table > records. After that, a state update may be triggered. > > PIX address translation (xlate, static and dynamic) and connection (conn) > records are essential state data, and are passed to the standby unit from > the active unit along with other state information. Since failover can not > be prescheduled, the state update for the connection is packet-based. This > means every packet passes through the PIX and changes the state of a > connection, which may trigger a state update. > > TCP state tables, with the exception of port 80 (HTTP), are transferred. > Most UDP state tables are not transferred, with the exception of dynamically > opened ports corresponding to multi-channel protocols such as H.323. So, DNS > resolves are not transferred as it is a single channel port. > > There are applications that are latency sensitive, and in some cases the > application times out before the failover sequence is completed. In these > cases, the application must reestablish the session. > > Stateful failover does not yet support Long Distance State Sharing (LDSS). > > > > So PIX can be stateful when properly configured - or did I miss something in > the thread?? > > > > Kevin Wigle > > ----- Original Message ----- > From: "Circusnuts" > To: > Sent: Monday, 19 November, 2001 22:11 > Subject: Re: Is Pix failover can be Load balancer ? [7:26673] > > > > Be careful how you load balance. Unlike the Check Point's stateful setup, > > Pix does not maintain state on both boxes, when running as parallel > devices. > > Also- the purchase agreement and software are for primary and failover > > units. There is a sizable discount applied to the failover Pix. The > state > > issue means some sort of hash must be passed between the load balancers > > sandwiching the Pix's. This hash ensures sourced traffic returns to the > > same firewall that the session created state in. > > > > Make sense ??? > > Phil > > > > ----- Original Message ----- > > From: "nrf" > > To: > > Sent: Monday, November 19, 2001 9:45 PM > > Subject: Re: Is Pix failover can be Load balancer ? [7:26673] > > > > > > > You need to get yourself some real load-balancers (i.e. CSS, F5 BigIP, > > > Foundry ServerIron, Alteon Acedirector, etc.) and make yourself a > > "firewall > > > sandwich". Mmmm, tasty. > > > > > > > > > > > > > > > > > > > > > ""Sivarajan Thiruvadi"" wrote in message > > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > > Hi Pals > > > > > > > > I wish to know wheather 2 cisco pix firewalls can be configured for > > > > redundancy > > > > as well as Load balancing. > > > > > > > > In general failover means in case of active PIX fails the stand by one > > > will > > > > come into line. > > > > But my customer wants FWLB (Fire wall load balancing). > > > > If any one has idea on this please help me. > > > > > > > > Thanks and regards > > > > Siva Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=26797&t=26673 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
