https://community.cisco.com/t5/network-security/pix-failover-vs-load-balancing-with-css/m-p/291407#M588086 <HTML><HEAD></HEAD><BODY><P>Does anyone load-balancing PIXs with Alteon switches ?</P><P></P><P>Best Regards,</P><P>Engel</P></BODY></HTML> Thu, 06 Nov 2003 00:44:54 GMT engel 2003-11-06T00:44:54Z https://community.cisco.com/t5/network-security/pix-failover-vs-load-balancing-with-css/m-p/291402#M588079 <P>Is there, anywhere, some document that compares/contrasts setting up two PIX's in failover mode versus load balancing them as discussed in this document?</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/customer/products/hw/contnetw/ps789/products_configuration_example09186a008009438c.shtml" target="_blank">http://www.cisco.com/en/US/customer/products/hw/contnetw/ps789/products_configuration_example09186a008009438c.shtml</A></P><P></P><P>I'm trying to figure out the benefits of doing the load-balanced configuration and weigh them against the cost of the CSS's.</P><P></P><P>Thank you.</P><P></P><P>-Mark Romer</P> Fri, 21 Feb 2020 07:04:46 GMT https://community.cisco.com/t5/network-security/pix-failover-vs-load-balancing-with-css/m-p/291402#M588079 mromer 2020-02-21T07:04:46Z https://community.cisco.com/t5/network-security/pix-failover-vs-load-balancing-with-css/m-p/291403#M588081 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Load balancing with firewall will/may not work and is not a good idea. Firewalls behaviour is statefull inspection so if a packet leaves from one firewall and enters other , it will get discarded.</P><P>Failover PIXen is for redundancy and high availability as you already aware.</P><P></P><P>Thanks,</P></BODY></HTML> Tue, 04 Nov 2003 22:14:43 GMT https://community.cisco.com/t5/network-security/pix-failover-vs-load-balancing-with-css/m-p/291403#M588081 nkhawaja 2003-11-04T22:14:43Z https://community.cisco.com/t5/network-security/pix-failover-vs-load-balancing-with-css/m-p/291404#M588082 <HTML><HEAD></HEAD><BODY><P>Thanks for the reply.</P><P></P><P>The CSS's on either side of the firewalls maintain a flow for each connection, ensuring that all traffic within a TCP session travels through the same firewall.</P><P></P><P>We are using this load balancing configuration for our production web farm. What I'm trying to figure out is what we might lose if we reconfigured the two PIXs for failover and used a couple of the CSS's elsewhere.</P><P></P><P>-Mark</P></BODY></HTML> Tue, 04 Nov 2003 22:52:35 GMT https://community.cisco.com/t5/network-security/pix-failover-vs-load-balancing-with-css/m-p/291404#M588082 mromer 2003-11-04T22:52:35Z https://community.cisco.com/t5/network-security/pix-failover-vs-load-balancing-with-css/m-p/291405#M588084 <HTML><HEAD></HEAD><BODY><P>Mark,</P><P></P><P>As you have seen load balancing PIX's with the CSS's does work and we have many customers doing it. Your question, however is difficult to answer. As I am sure you know, the idea with load balancing the PIX's is too split the load across 2 seperate platforms. Failover and load balancing in the PIX's is going to be quite different. If you moved to a failover setup and config'ed stateful failover as well, you would gain the ability to maintain "state" if one of the firewalls went down. Meaning, sessions that were open through the active firewall would be replicated over to the stand-by firewall so when the failover ooccured, the end user would not necessarily know. I do not think you would currently have this ability in the load balanced setup. Of course, the biggest concern you are going to need to take a look at is whether one PIX can currently handle that load that you have 2 PIX's handling now. The biggest concern would probably be the connections. You can issue a 'sh conn count' to get a rough idea of how many conns wach PIX has at the time the command is run. Summing these numbers and comparing it to the numbers we provide for max conns on your platform can give you a rough idea of what to expect.</P><P></P><P>I know this is not the concrete answer you were looking for but hopefully it gives you some ideas on where to start. Good luck.</P><P></P><P>Scott</P></BODY></HTML> Wed, 05 Nov 2003 15:19:02 GMT https://community.cisco.com/t5/network-security/pix-failover-vs-load-balancing-with-css/m-p/291405#M588084 scoclayton 2003-11-05T15:19:02Z https://community.cisco.com/t5/network-security/pix-failover-vs-load-balancing-with-css/m-p/291406#M588085 <HTML><HEAD></HEAD><BODY><P>Thanks, Scott. That gives me a direction to look in, at least.</P><P></P><P>-Mark</P></BODY></HTML> Wed, 05 Nov 2003 15:33:18 GMT https://community.cisco.com/t5/network-security/pix-failover-vs-load-balancing-with-css/m-p/291406#M588085 mromer 2003-11-05T15:33:18Z https://community.cisco.com/t5/network-security/pix-failover-vs-load-balancing-with-css/m-p/291407#M588086 <HTML><HEAD></HEAD><BODY><P>Does anyone load-balancing PIXs with Alteon switches ?</P><P></P><P>Best Regards,</P><P>Engel</P></BODY></HTML> Thu, 06 Nov 2003 00:44:54 GMT https://community.cisco.com/t5/network-security/pix-failover-vs-load-balancing-with-css/m-p/291407#M588086 engel 2003-11-06T00:44:54Z