Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
455
Views
0
Helpful
2
Replies

basic firewall redundancy question

david.bradley
Level 1
Level 1

‎09-01-2004 07:30 AM - edited ‎03-09-2019 08:40 AM

I'm trying to get my head around how reundancy operates. The diagram below shows a campus LAN with a collapsed core, the 2 core switches are connected directly to 2 firewalls:

|--------firewallA-------switchB------routerB

| | |

internet-----router----switch-----| | |

| | |

| | |

|--------firewallB-------switchB------routerB

The routerBs are essentially MSFCs in the switchBs.

Assuming that firewallA is the active firewall. FirewallA fails and FirewallB assumes the roles of the active firewall, all well and good.

The traffic is sent automaticall out to the active firewall either direct from one switchB or whatever layer 2 route needed.

The question is, what happens if the active switchB (spanning tree root) fails and the traffic is redirected to the other switch and in turn to the other firewall. The other switch only has a direct connection to the second firewall, but the second firewall is in standby mode!!

and...

What happens if the link in the outside of the active firwall fails and traffic then cannot get to the active firewall, the second firewall is recieving heartbeats from the active firewall, so the active firewall stays up.

Do I have something sadly wrong here?? :)

Dave

Labels:
0 Helpful
2 Replies 2

a.awan
Level 4
Level 4

‎09-01-2004 08:04 AM

First of all your diagram did not post too well so it was a bit hard understanding your topology. Just a comment on the redundancy in your network. From what i see you have everything redudant other than the devices in front of your firewall. What is the reason for that?

Coming back to your original question on what happens when SwitchB fails, well i am assuming you have PIX firewalls in active failover configuration and will base my response on that assumption. When an interface on an active PIX firewall fails the firewall communicates that via the 'failover link' to the failover firewall and a role switchover occurs so the standby firewall takes over. This will happen when the SwitchB fails as the active firewall will lose the link on its internal interface.

0 Helpful

david.bradley
Level 1
Level 1
In response to a.awan

‎09-01-2004 10:01 AM

hi,

As you say there is redundancy all the way up until the last part, the 2 firewalls connect to a router then out to the ISP. I not really logical I know.

The firewalls in question are actually Sidewinder G2s and I did assume they function in the same way, i.e. one conection is between the 2 firewalls passes keepalives. I've dealt with PIXs in the past but not in a redundant setup, it sounds like they are more sensitive to failures.

Dave

0 Helpful
Customers Also Viewed These Support Documents