Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
338
Views
0
Helpful
1
Replies

PIX TCP sequence numbers checking and stateful failover performance

ovt
Level 4
Level 4

‎03-09-2003 08:18 AM - edited ‎02-20-2020 10:36 PM

Hi!

PIX Admin. guide says: "The PIX Firewall checks TCP sequence number and

ensures that it fits within an acceptable range".

The questions are:

- does the PIX really do this?

- does "acceptable range" mean "within the window, but out-of-order TCP

segments are allowed"?

- does this checking mean that dedicated *Gig* ethernet interface is required

for stateful failover, provided that we use 535 with Gig interfaces for data

traffic. (If SEQs are really tracked by the (active) PIX it must send SEQ changes

to the standby for every data packet, isn't it? So, what about performance issues?)

Thank you,

Oleg Tipisov,

REDCENTER,

Moscow

0 Helpful
1 Reply 1

mostiguy
Level 6
Level 6

‎03-10-2003 07:28 AM

For question 3: yes, Cisco seems to recommend as a rule that your stateful failover interface be as fast as your fastest interface in use.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card