Failover Communication

Unanswered Question
May 5th, 2007
User Badges:


I am reviewing the PIX config of my client who is configuring deny ip any any ACL on the failover interface between the 2 failover units!!

I was confused of this configuration and just would like to check if this will deny the stateful information flow b/ the 2 firewalls?

Please advise!



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)

There should be NO ACL. Don't use a crossover ethernet cable or fiber to connect the two failover LAN interfaces. Instead, each interface should connect to a switch port so that the link status is always up to one firewall interface if the other firewall interface fails. Otherwise, both units sense a link-down condition and assume that their interfaces have a failover.

Yes, a crossover will work; but it isnt a best practice.

Please rate if you are satisfied.


Patrick Iseli Sat, 05/12/2007 - 19:37
User Badges:
  • Gold, 750 points or more

Even if there is a ACL that has a deny any any on that failover link interfaces then the failover communication still works.

But personaly I prefer to remove it !




This Discussion