Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Question on PIX - VPN bulk sync

Hi,

We have a cable(serial) connected Active/Standby PIX firewall setup.

When the standby unit recovers after a failure, there is a VPN Bulk Sync process, where the active unit starts syncing the state information to the standby unit.

During this process does the active unit freeze/lock all it's VPN connections?

According to my understanding, it should not affect the active VPN traffic, however it seems so.

Thanks for the clarification & providing with related references(if any).

2 REPLIES
Cisco Employee

Re: Question on PIX - VPN bulk sync

First of all,you need to run stateful failover for zero disruption of traffic.

Secondly,in 6.x train,vpn statfulness is not supported.That is,if with 6.x,even with statful setup ,during a failover event,vpn connections would drop.

Secondly,if you are running 7.x or 8.x code,you would need to setup stateful failover.With 7.x and 8.x code,vpn statefulness is supported.

Link :

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/failover.html

Do rate helpful posts.

Regards,

Sushil

Community Member

Re: Question on PIX - VPN bulk sync

Hi,

PIXos is 7.x.

My question is regarding the status of active unit connections upon recovery of the standby unit after a failure.

I've already referred to your link and according to it (Ref:Table 14-1 Failover Behavior) there's 'No Failover' of the active unit upon failure of standby.

To repeat my question,

When VPN bulk sync and End configuration Replication take place are the active unit connections locked?

If not what could lead to a disruption of traffic(OS bug, high CPU )?

322
Views
3
Helpful
2
Replies
CreatePlease to create content