the 535/525 runs stateful transfer over a gig-ethernet port, in fact it HAS to run over gig-e if you are using the other gig-e interfaces since how can you transfer state for 100+ Mb of traffic over a 10/100 link?
the prep guide that comes with your pix shows the pin-outs for serial cable, presumably to build one if you need to though each pix comes with a standby cable. i'm sure that the pins must raise/drop line with it's partner, however to complete the picture remember that "hello's" are sent over each NETWORK INTERFACE as well; if a hello is missed in the timeout period then it consults the serial cable to determine if a fault has occurred and adjusts accordingly. don't use a firewall for multi-site failover, that's NOT the intended purpose. you have a host of other alternatives, mostly dealing with "global" load balancing either in hardware/software (f5/extreme/foundry/cisco local director) or software (resonate). these kinds of solutions spread agents across sites, munge dns and do nifty things with icmp to get you "best" performance and true fault tolerance. i'd say that pix failover is intra-site only. i'd imagine that the "stateful" information passed over the failover LINK (not cable) has to do with maintaining the xlate tables, i'd be terribly surprised if actual data packets were sent as that would not be necessary to keeping state. i'd be interested in finding out for sure. anyone comfortable with splicing fiber? :) bt ""Francisco Quiroz Collazo"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... | Thanks folks | Now I see, Unless cisco have a New version that support the failover working | only with the fastethernet link, there's no cable as long as I need to make | this possible. | | Thanks for all your ideas. | | | ----- Original Message ----- | From: Allen May | To: | Sent: Monday, February 11, 2002 2:53 PM | Subject: Re: PIX's statefull failover, but in diferent locations [7: | [7:35135] | | | > Seems to me it would slow down the PIX big time if the failover link were | > slow. I have no idea what speed it runs. It's run from the 10/100 port | but | > with the pinouts I have no idea what it requires. If there are tons of | > translations going on then to remain stateful it must send all of that | info | > to the other PIX in real-time. | > | > Although I do see the practicality in having this feature & would love to | > see it. Failover spanning more than one site is the only true failover to | > survive fires or some other isolated natural disaster. | > | > Which raises another question though....could this data be sniffed for | > anything of value if it's only info to keep it stateful? Anybody know | > what's in that data stream exactly? | > | > Allen | > | > ----- Original Message ----- | > From: "Patrick Ramsey" | > To: | > Sent: Monday, February 11, 2002 1:50 PM | > Subject: Re: PIX's statefull failover, but in diferent locations [7: | > [7:35130] | > | > | > > well...earlier in the list it had been said that cisco was implementing | > this | > > into their newer code... (so failover was across ethernet instead of | > > failover goign through serial) I'm not sure if it has been implemented | as | > a | > > solid feature or if it is still in beta... (if it even exists) | > > | > > the problem is that the two firewalls use the serial connection to xfer | > > config data and a separate failover link to monitor uptime | (ethernet).... | > > so...the answer is this: | > > | > > If you are runnign the latest a 'greatest' from cisco and they have | indeed | > > implemented complete ethernet failover, then go check out their TAC and | > see | > > if it is capable of going across the wan.... otherwise, the answer is no | > > because the serial cable is only a few feet in length... :) | > > | > > NOW... it has been theorized that you could use a term server for this | > > connection (and run the conenction across the WAN) but never been | > tested.. | > > :) | > > | > > Patrick Ramsey | > > Sr. Network Engineer | > > WellStar Health Systems | > > 770.956.6338 | > > | > > >>> "Allen May" 02/11/02 02:04PM >>> | > > It's not a straight through RJ45 cable running between the 2 so I doubt | a | > > repeater would work for that. What are you trying to accomplish? Is it | > > anything a couple of routers could handle with the PIX's running behind | > > them? | > > | > > Allen | > > ----- Original Message ----- | > > From: "Francisco Quiroz Collazo" | > > To: | > > Sent: Monday, February 11, 2002 12:07 PM | > > Subject: PIX's statefull failover, but in diferent locations [7:35112] | > > | > > | > > > Have ever any of you configure a statefull failover between two pix's | > > > separated by a wan. I mean, it is possible this configuration if those | > > pix4s | > > > are in different facilities, 20 Km between them? | > > > Thanks. | > > > | > > > Francisco Quiroz | > > >>>>>>>>>>>>> Confidentiality Disclaimer This email and any files | > transmitted with it may contain confidential and | > > /or proprietary information in the possession of WellStar Health System, | > > Inc. ("WellStar") and is intended only for the individual or entity to | > whom | > > addressed. This email may contain information that is held to be | > > privileged, confidential and exempt from disclosure under applicable | law. | > If | > > the reader of this message is not the intended recipient, you are hereby | > > notified that any unauthorized access, dissemination, distribution or | > > copying of any information from this email is strictly prohibited, and | may | > > subject you to criminal and/or civil liability. If you have received | this | > > email in error, please notify the sender by reply email and then delete | > this | > > email and its attachments from your computer. Thank you. | > > | > > ================================================================ | | | | | Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35174&t=35174 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
