[fw-wiz] Concentrator inside of paired failover firewalls.
vbwilliams at neb.rr.com
vbwilliams at neb.rr.com
Fri Sep 22 16:29:01 EDT 2006
Sorry...but something doesn't seem right about this.
First, I was under the impression that by *default*, the actual failover
cable (the green thing that comes with all PIX firewalls) was what the
PIX used to do failover. All the crossover cable or LAN connection did
was keep track of state information. If you didn't have a LAN cable to
do that, none of your failovers would be stateful. In other words, with
the LAN or crossover connection there, if a firewall dies in the middle
of a file download or something, it will basically pause for a second,
then the failover firewall will pick up where the primary left off (this
all assuming whatever is going on is TCP-based)...also assuming 6.3.x
So, what I'm getting at is that I believe the assertion that if your
crossover cable goes bad or whatever, making both firewalls think they
are the master, is wrong. That is the whole reason you have a
configuration in there that tells both firewalls to ignore the status on
that particular NIC...all it's used for is to transfer state back and
forth. If that NIC fails on either firewall, they don't keep switching
status(es)...the primary remains the primary, the failover remains the
failover...all you lose is the ability to do stateful TCP failover
(keeping your connections intact in the event of a device failure).
Crossover cable or LAN-based connection doesn't matter. It accomplishes
the same thing.
It says in that link:
"If the active unit fails, the standby unit takes over. The following
situations cause a failover to occur if they affect the active unit, but
not the standby unit:
•PIX Firewall hardware failure
•Power loss or reload
I interpret that to mean that if the SAME thing happens to both units,
they still continue to run as-is. If the cross-over cable goes bad,
that is a bad link on both firewalls. That means they still run as-is.
Pimary is active, failover is standby.
----- Original Message -----
From: Aaron Smith <smitha at byui.edu>
Date: Friday, September 22, 2006 1:20 pm
Subject: Re: [fw-wiz] Concentrator inside of paired failover firewalls.
To: Firewall Wizards Security Mailing List
<firewall-wizards at listserv.cybertrust.com>
> On Sun, 2006-09-17 at 16:35 -0700, Carson Gaspar wrote:
> > There are _zero_ reliable commercial HA solutions that will go
> insane if
> > you use a cross-over cable and they both loose link at the same
> So, PIX is not a reliable commercial solution then. OK.
> > If
> > you use 2 switches, and the trunk between them fails, both
> devices think
> > they are "up" (yes, you can use multiple trunks, but you can use
> > x-overs as well - keep it apples to apples). If you use a cross-
> over cable,
> > and it fails, both devices think they are "down". Any decent HA
> system can
> > handle both failure modes.
> Then PIX is also not a decent HA system. Great.
> > If an HA system _can't_ handle both failure
> > modes, it's crap and you shouldn't buy it.
> PIX (using IP failover) is crap. I get it now.
> As a final note, using a crossover cable with a PIX is very stupid.
> you keep the pair in the same room then use the failover cable.
> IP-based failover is useful if the PIX pair is geographically
> separated,in which case they'd most likely be homed to different
> switches. Which
> was my initial point.
> @@ron Smith
> firewall-wizards mailing list
> firewall-wizards at listserv.icsalabs.com
More information about the firewall-wizards