Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Failover Communication

Hi,

I am reviewing the PIX config of my client who is configuring deny ip any any ACL on the failover interface between the 2 failover units!!

I was confused of this configuration and just would like to check if this will deny the stateful information flow b/ the 2 firewalls?

Please advise!

Regards,

Haitham

2 REPLIES
New Member

Re: Failover Communication

There should be NO ACL. Don't use a crossover ethernet cable or fiber to connect the two failover LAN interfaces. Instead, each interface should connect to a switch port so that the link status is always up to one firewall interface if the other firewall interface fails. Otherwise, both units sense a link-down condition and assume that their interfaces have a failover.

Yes, a crossover will work; but it isnt a best practice.

Please rate if you are satisfied.

Cheers!

Re: Failover Communication

Even if there is a ACL that has a deny any any on that failover link interfaces then the failover communication still works.

But personaly I prefer to remove it !

sincerely

Patrick

234
Views
0
Helpful
2
Replies