RE: Pix Failover Question

From: Tarun Pahuja (pahujat@gmail.com)
Date: Fri Mar 23 2007 - 11:31:06 ART

• Next message: Antonio Soares: "RE: Challenge"
• Previous message: pahujat@gmail.com: "RE: Pix Stateful Failover Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Andre,
              You brought up a very good question.I will try to answer
it.Stateful failover might sound magical but has limitations.

There are applications that are latency sensitive, and in some cases the
application times out before the failover sequence is completed. In these
cases, the application must reestablish the session.In
<http://session.in/>version
6.0 andlater, you can use the command failover replicate http in order to
enforce TCP port 80 state replication which is not done by default. DNS
resolves are not transferred as it is a single channel port. Most UDP state
tables are not transferred.

A good rule of thumb is to expect the standby to take 10 seconds to take
over using
stateful failover. Without stateful failover it can take up to a minute to
reestablish connections.

One of the caveat about the stateful failover is what causes the failover.
If you have failover hello set to the maximum of 15 seconds and the inside
interface goes bad, then the standby does not declare that the primary has
failed until it misses at least two hellos, 30 seconds. Some people set the
failover hellos to the minimum of 3 seconds but then the PIX can failover
unnecessarily. Cisco recommends that you set the hello
to the maximum of 15 seconds.

Hope that Helps.
Thanks,

Tarun Pahuja
CCIE #7707(R&S,Security,SP,Voice,Storage)

*Andre Dufour <andremd4@gmail.com>* wrote:

Hello,

I have a quick question. Why would a company not want to have stateful
failover implemented? What would be some reasons or risks of enabling
stateful-based failover? Take a look at the below exampe of a set of PIX
535s. Any info would be greatly appreciated. They have the additional
interfaces to do this.

Regards,
Andre

xxxxxxxxxxxx# show fail
Failover On
Cable status: Normal
Reconnect timeout 0:00:00
Poll frequency 3 seconds
Last Failover at: 08:55:14 ESDT Sun Mar 18 2007
This host: Secondary - Active
Active time: 173955 (sec)
Interface syslog (10.x.x.x): Normal
Interface intf2 (0.0.0.0): Link Down (Shutdown)
Interface inside (192.168.x.x): Normal
Interface outside (192.168.x.x): Normal
Other host: Primary - Standby
Active time: 798 (sec)
Interface syslog (10.x.x.x): Normal
Interface intf2 (0.0.0.0): Link Down (Shutdown)
Interface inside (192.168.x.x): Normal
Interface outside (192.168.x.x): Normal

*Stateful Failover Logical Update Statistics
Link : Unconfigured.*

• Next message: Antonio Soares: "RE: Challenge"
• Previous message: pahujat@gmail.com: "RE: Pix Stateful Failover Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Apr 01 2007 - 06:35:52 ART