On Sat, 1 Apr 2000, Micheal Espinola Jr wrote:
> I am about to deploy 515R's between two different organizations for security
> and VPN purposes.
>
> Could you please detail the issues you have had with your 515's? I may have
> enough time to change vendors if this is an issue that relates to me
> scenario.
We use the PIX solely for doing 1:1 NAT, no filtering, nothing else.
Basically standard setup and then a "global" line. We have residential
customers (approx 200 of them) behind this, all on 10mbit ethernet. The
PIX515 is connected using 100mbit on both ports and traffic flows thru it.
Normal traffic is 1-8 megabytes of traffic with peaks in the 15-20 mbit
range.
Three sites, with hang frequency approximately matching site size. The one
I am referring to above hangs on average 1-4 times a week, but can be as
much as 3-4 times in two hours (has happened a few times). We have
installed a phone based power switch to be able to remotely hard reset the
thing until we found a better solution.
The largest site was replaced by two 520:s in hot standby mode two weeks
ago, and that seems to work much better.
I know several others that have had the same kind of problems and we have
tried new upgrades (4.4.1, 4.4.2 and 4.4.4) and all of them suffer from
the same problem. Cisco here basically tells us we needed a larger unit. I
do not find that acceptable, these kind of devices may overload but they
should never never freeze. With 4.4.[12] they sometimes locked in some
kind of weird mode making them send a lot of packets outwards, last time
it happened it was 92mbit. Flooded our internet line badly. Havent seen
this with 4.4.4 though.
On the up side a cisco representative contacted me after I wrote my last
email saying they had been working on the problem and thought they had a
solution now.
Personally, I'd never install a single PIX firewall again, I have no trust
what so ever in the stability of the product, so if I am going to have one
anywhere, it's going to have to be two in hot standby mode and well
monitored. I'd go for the 520 also, seems more solid than the 515. I dont
have any personal experience of the 520 though.
--
Mikael Abrahamsson email: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
