The CSS's on either side of the firewalls maintain a flow for each connection, ensuring that all traffic within a TCP session travels through the same firewall.
We are using this load balancing configuration for our production web farm. What I'm trying to figure out is what we might lose if we reconfigured the two PIXs for failover and used a couple of the CSS's elsewhere.
As you have seen load balancing PIX's with the CSS's does work and we have many customers doing it. Your question, however is difficult to answer. As I am sure you know, the idea with load balancing the PIX's is too split the load across 2 seperate platforms. Failover and load balancing in the PIX's is going to be quite different. If you moved to a failover setup and config'ed stateful failover as well, you would gain the ability to maintain "state" if one of the firewalls went down. Meaning, sessions that were open through the active firewall would be replicated over to the stand-by firewall so when the failover ooccured, the end user would not necessarily know. I do not think you would currently have this ability in the load balanced setup. Of course, the biggest concern you are going to need to take a look at is whether one PIX can currently handle that load that you have 2 PIX's handling now. The biggest concern would probably be the connections. You can issue a 'sh conn count' to get a rough idea of how many conns wach PIX has at the time the command is run. Summing these numbers and comparing it to the numbers we provide for max conns on your platform can give you a rough idea of what to expect.
I know this is not the concrete answer you were looking for but hopefully it gives you some ideas on where to start. Good luck.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :