Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

ovt Bronze
Bronze

PIX TCP sequence numbers checking and stateful failover performance

Hi!

PIX Admin. guide says: "The PIX Firewall checks TCP sequence number and

ensures that it fits within an acceptable range".

The questions are:

- does the PIX really do this?

- does "acceptable range" mean "within the window, but out-of-order TCP

segments are allowed"?

- does this checking mean that dedicated *Gig* ethernet interface is required

for stateful failover, provided that we use 535 with Gig interfaces for data

traffic. (If SEQs are really tracked by the (active) PIX it must send SEQ changes

to the standby for every data packet, isn't it? So, what about performance issues?)

Thank you,

Oleg Tipisov,

REDCENTER,

Moscow

1 REPLY
Silver

Re: PIX TCP sequence numbers checking and stateful failover perf

For question 3: yes, Cisco seems to recommend as a rule that your stateful failover interface be as fast as your fastest interface in use.

96
Views
0
Helpful
1
Replies