By my reading of that, state information is transferred from the active to
the standby - not vice versa. So although state info is passed for
failover purposes, I don't think that this would be adequate for load
balancing. For failover, the boxes aren't running in parallel in the same
way that they are for load balancing.
But hey, I know nothing about PIXs, so anyone feel free to tell me I'm
spouting rubbish.
JMcL
----- Forwarded by Jenny Mcleod/NSO/CSDA on 20/11/2001 03:51 pm -----
"Kevin
Wigle"
cc:
Sent by: Subject: Re: Is Pix failover
can be Load
nobody@groupstud balancer ?
[7:26673]
y.com
20/11/2001
02:53
pm
Please
respond
to "Kevin
Wigle"
actually......... no??
When I was doing a spec for failover on PIX I'm practically sure that state
was passed between the boxes.
The serial cable and network cable connecting them is used for this.
from the link: http://www.cisco.com/warp/customer/110/failover.html#state
Stateful Failover
Without retaining PIX stateful information, after a switchover all existing
connections are dropped and the application is required to reinitiate. In
the PIX Software 5.0 release, PIX provides stateful failover so that
existing connection can stay up after a switchover.
To support the stateful failover, a dedicated LAN interface between the two
PIX devices is required. The Logical Update (LU) is the software module
that
provides transport to PIX applications supporting stateful failover. The
state update occurs from the active to standby through the LAN interface.
The state update sent to the standby PIX is triggered by the application.
The LU transport is UDP-like, with no retransmission and no blocking
applications to delay normal packet processing. The state update packets
are
transmitted asynchronously in the background. Nevertheless, the LU protocol
is real-time, and it provides error notification and reports missing state
updates for monitoring purposes.
Initial state synchronization is performed after configuration replication.
This is done by walking through the translation and connection table
records. After that, a state update may be triggered.
PIX address translation (xlate, static and dynamic) and connection (conn)
records are essential state data, and are passed to the standby unit from
the active unit along with other state information. Since failover can not
be prescheduled, the state update for the connection is packet-based. This
means every packet passes through the PIX and changes the state of a
connection, which may trigger a state update.
TCP state tables, with the exception of port 80 (HTTP), are transferred.
Most UDP state tables are not transferred, with the exception of
dynamically
opened ports corresponding to multi-channel protocols such as H.323. So,
DNS
resolves are not transferred as it is a single channel port.
There are applications that are latency sensitive, and in some cases the
application times out before the failover sequence is completed. In these
cases, the application must reestablish the session.
Stateful failover does not yet support Long Distance State Sharing (LDSS).
So PIX can be stateful when properly configured - or did I miss something
in
the thread??
Kevin Wigle
----- Original Message -----
From: "Circusnuts"
To:
Sent: Monday, 19 November, 2001 22:11
Subject: Re: Is Pix failover can be Load balancer ? [7:26673]
> Be careful how you load balance. Unlike the Check Point's stateful
setup,
> Pix does not maintain state on both boxes, when running as parallel
devices.
> Also- the purchase agreement and software are for primary and failover
> units. There is a sizable discount applied to the failover Pix. The
state
> issue means some sort of hash must be passed between the load balancers
> sandwiching the Pix's. This hash ensures sourced traffic returns to the
> same firewall that the session created state in.
>
> Make sense ???
> Phil
>
> ----- Original Message -----
> From: "nrf"
> To:
> Sent: Monday, November 19, 2001 9:45 PM
> Subject: Re: Is Pix failover can be Load balancer ? [7:26673]
>
>
> > You need to get yourself some real load-balancers (i.e. CSS, F5 BigIP,
> > Foundry ServerIron, Alteon Acedirector, etc.) and make yourself a
> "firewall
> > sandwich". Mmmm, tasty.
> >
> >
> >
> >
> >
> >
> > ""Sivarajan Thiruvadi"" wrote in message
> > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > Hi Pals
> > >
> > > I wish to know wheather 2 cisco pix firewalls can be configured for
> > > redundancy
> > > as well as Load balancing.
> > >
> > > In general failover means in case of active PIX fails the stand by
one
> > will
> > > come into line.
> > > But my customer wants FWLB (Fire wall load balancing).
> > > If any one has idea on this please help me.
> > >
> > > Thanks and regards
> > > Siva
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=26800&t=26673
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
