Question on PIX - VPN bulk sync

Unanswered Question
Sep 23rd, 2008


We have a cable(serial) connected Active/Standby PIX firewall setup.

When the standby unit recovers after a failure, there is a VPN Bulk Sync process, where the active unit starts syncing the state information to the standby unit.

During this process does the active unit freeze/lock all it's VPN connections?

According to my understanding, it should not affect the active VPN traffic, however it seems so.

Thanks for the clarification & providing with related references(if any).

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
suschoud Tue, 09/23/2008 - 05:58

First of all,you need to run stateful failover for zero disruption of traffic.

Secondly,in 6.x train,vpn statfulness is not supported.That is,if with 6.x,even with statful setup ,during a failover event,vpn connections would drop.

Secondly,if you are running 7.x or 8.x code,you would need to setup stateful failover.With 7.x and 8.x code,vpn statefulness is supported.

Link :

Do rate helpful posts.



rsgamage1 Tue, 09/23/2008 - 06:19


PIXos is 7.x.

My question is regarding the status of active unit connections upon recovery of the standby unit after a failure.

I've already referred to your link and according to it (Ref:Table 14-1 Failover Behavior) there's 'No Failover' of the active unit upon failure of standby.

To repeat my question,

When VPN bulk sync and End configuration Replication take place are the active unit connections locked?

If not what could lead to a disruption of traffic(OS bug, high CPU )?


This Discussion