I have deployed the PIX on a couple of big web sites and lately has been
working fairly well. There are some issues though. The PIX 515 is definitely
not meant for sites with heavy traffic, if you have more than 2-3Mbs sustained
the 515 won't cut it. The 520 is much more powerful and can easily handle
100Mbs traffic. As far as version of the software 5.1 seems to be very stable,
although it has some problems if you want to use the access-list statement.
I agree with your statement about the 515: I wouldn't buy it either bacause
I was burned recently. The 520 instead is a very good product.
--
Alberto U. Begliomini Email: [EMAIL PROTECTED]
Coldstone Consulting, LLC Phone: 650-400-3990
Internet Technologies, Security, Systems Management Fax: 650-654-5938
Mikael Abrahamsson wrote:
>
> On Sat, 1 Apr 2000, Micheal Espinola Jr wrote:
>
> > I am about to deploy 515R's between two different organizations for security
> > and VPN purposes.
> >
> > Could you please detail the issues you have had with your 515's? I may have
> > enough time to change vendors if this is an issue that relates to me
> > scenario.
>
> We use the PIX solely for doing 1:1 NAT, no filtering, nothing else.
> Basically standard setup and then a "global" line. We have residential
> customers (approx 200 of them) behind this, all on 10mbit ethernet. The
> PIX515 is connected using 100mbit on both ports and traffic flows thru it.
> Normal traffic is 1-8 megabytes of traffic with peaks in the 15-20 mbit
> range.
>
> Three sites, with hang frequency approximately matching site size. The one
> I am referring to above hangs on average 1-4 times a week, but can be as
> much as 3-4 times in two hours (has happened a few times). We have
> installed a phone based power switch to be able to remotely hard reset the
> thing until we found a better solution.
>
> The largest site was replaced by two 520:s in hot standby mode two weeks
> ago, and that seems to work much better.
>
> I know several others that have had the same kind of problems and we have
> tried new upgrades (4.4.1, 4.4.2 and 4.4.4) and all of them suffer from
> the same problem. Cisco here basically tells us we needed a larger unit. I
> do not find that acceptable, these kind of devices may overload but they
> should never never freeze. With 4.4.[12] they sometimes locked in some
> kind of weird mode making them send a lot of packets outwards, last time
> it happened it was 92mbit. Flooded our internet line badly. Havent seen
> this with 4.4.4 though.
>
> On the up side a cisco representative contacted me after I wrote my last
> email saying they had been working on the problem and thought they had a
> solution now.
>
> Personally, I'd never install a single PIX firewall again, I have no trust
> what so ever in the stability of the product, so if I am going to have one
> anywhere, it's going to have to be two in hot standby mode and well
> monitored. I'd go for the 520 also, seems more solid than the 515. I dont
> have any personal experience of the 520 though.
>
> --
> Mikael Abrahamsson email: [EMAIL PROTECTED]
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
