Buy or Renew
Buy or Renew
Cisco Community present at Cisco Live EMEA 2023. See you in Amsterdam! Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
279
Views
0
Helpful
1
Replies

PIX TCP sequence numbers checking and stateful failover performance

ovt
Enthusiast
Enthusiast

‎03-09-2003 08:18 AM - edited ‎02-20-2020 10:36 PM

Hi!

PIX Admin. guide says: "The PIX Firewall checks TCP sequence number and

ensures that it fits within an acceptable range".

The questions are:

- does the PIX really do this?

- does "acceptable range" mean "within the window, but out-of-order TCP

segments are allowed"?

- does this checking mean that dedicated *Gig* ethernet interface is required

for stateful failover, provided that we use 535 with Gig interfaces for data

traffic. (If SEQs are really tracked by the (active) PIX it must send SEQ changes

to the standby for every data packet, isn't it? So, what about performance issues?)

Thank you,

Oleg Tipisov,

REDCENTER,

Moscow

0 Helpful
1 Reply 1

mostiguy
Frequent Contributor
Frequent Contributor

‎03-10-2003 07:28 AM

For question 3: yes, Cisco seems to recommend as a rule that your stateful failover interface be as fast as your fastest interface in use.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents