topic Question on PIX - VPN bulk sync in Network Security

Question on PIX - VPN bulk sync

RanilG — Mon, 11 Mar 2019 13:47:59 GMT

Hi,

We have a cable(serial) connected Active/Standby PIX firewall setup.

When the standby unit recovers after a failure, there is a VPN Bulk Sync process, where the active unit starts syncing the state information to the standby unit.

During this process does the active unit freeze/lock all it's VPN connections?

According to my understanding, it should not affect the active VPN traffic, however it seems so.

Thanks for the clarification & providing with related references(if any).

Re: Question on PIX - VPN bulk sync

suschoud — Tue, 23 Sep 2008 12:58:25 GMT

First of all,you need to run stateful failover for zero disruption of traffic.

Secondly,in 6.x train,vpn statfulness is not supported.That is,if with 6.x,even with statful setup ,during a failover event,vpn connections would drop.

Secondly,if you are running 7.x or 8.x code,you would need to setup stateful failover.With 7.x and 8.x code,vpn statefulness is supported.

Link :

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/failover.html

Do rate helpful posts.

Regards,

Sushil

Re: Question on PIX - VPN bulk sync

RanilG — Tue, 23 Sep 2008 13:19:03 GMT

Hi,

PIXos is 7.x.

My question is regarding the status of active unit connections upon recovery of the standby unit after a failure.

I've already referred to your link and according to it (Ref:Table 14-1 Failover Behavior) there's 'No Failover' of the active unit upon failure of standby.

To repeat my question,

When VPN bulk sync and End configuration Replication take place are the active unit connections locked?

If not what could lead to a disruption of traffic(OS bug, high CPU )?