Question on PIX - VPN bulk sync

rsgamage1 · ‎09-23-2008

Hi,

We have a cable(serial) connected Active/Standby PIX firewall setup.

When the standby unit recovers after a failure, there is a VPN Bulk Sync process, where the active unit starts syncing the state information to the standby unit.

During this process does the active unit freeze/lock all it's VPN connections?

According to my understanding, it should not affect the active VPN traffic, however it seems so.

Thanks for the clarification & providing with related references(if any).

suschoud · ‎09-23-2008

First of all,you need to run stateful failover for zero disruption of traffic.

Secondly,in 6.x train,vpn statfulness is not supported.That is,if with 6.x,even with statful setup ,during a failover event,vpn connections would drop.

Secondly,if you are running 7.x or 8.x code,you would need to setup stateful failover.With 7.x and 8.x code,vpn statefulness is supported.

Link :

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/failover.html

Do rate helpful posts.

Regards,

Sushil

rsgamage1 · ‎09-23-2008

Hi,

PIXos is 7.x.

My question is regarding the status of active unit connections upon recovery of the standby unit after a failure.

I've already referred to your link and according to it (Ref:Table 14-1 Failover Behavior) there's 'No Failover' of the active unit upon failure of standby.

To repeat my question,

When VPN bulk sync and End configuration Replication take place are the active unit connections locked?

If not what could lead to a disruption of traffic(OS bug, high CPU )?