[prev in list] [next in list] [prev in thread] [next in thread] 

List:       sidewinder
Subject:    Re: [Sidewinder] RE: Heartbeat over a WAN link
From:       sidewinder () adeptech ! com
Date:       2004-10-26 3:43:51
Message-ID: 6ec88adc04102520434c391403 () mail ! gmail ! com
[Download RAW message or body]

On Mon, 25 Oct 2004 12:34:38 -0500, JRJ  wrote:
>> Richard St. John writes:
>> We have several load balanced SideWinders and I am thinking of making
>> several of them as fail over pairs when we get to putting Internet access
>> into our KC D&R facility. Can the "heartbeat" burb be across a WAN link

Technically, the heartbeat can be a WAN bridge.  You may need to
adjust timeouts.
However, SCC recommends against using anything more involved than a
crossover cable for the heartbeat connection.


> While I suppose you could, there might be issues.  If that WAN link goes
> down, then BOTH will want to be primaries.  

Exactly.  The heartbeat is the only thing keeping the secondary
firewall from taking over as the primary.


> If you then do any configuration changes, you'll have a real mess.
> Also, I am not at all sure what will  happen, after such a failure -- 
> whether one of the two will give up peacefully
> (and whether it would be the *right* one).

Once the heartbeat is resumed, the firewall with the highest priority
will take over as the primary -- the "lesser" firewall is (in my
experience) good about giving up to a higher priority firewall, so
long as the heartbeat is there.
Without the heartbeat, anarchy reigns.


>> Can we have KC1 monitor NS1 via the heart beat burb, or would it be better
>> to move this monitoring to another appliance. If NS1 goes down we want KC1
>> to start playing its role because internal devices will start sending
>> traffic to KC.

IMHO, It would be better to have both firewalls "active", and have the
monitoring and failover handled by the routers or by another
appliance.  The primary drawback to not using a failover pair is that
IP-Filtered connections will not have stateful failover.  There are
options to keep the Sidewinder configurations in sync.


> More than that would be hard to determine, without knowing more about how
> you would set up your routing environment.  I imagine there are ways you
> could set up the routing so that they could run "load balanced", but direct
> the traffic from each site appropriately.  That way, if one went down,
> routing changes (perhaps automatic) could direct the traffic towards the
> other.  Plus, this way, if the WAN link went down, the only thing you'd lose
> would be the ability to (safely) make config changes.

If all of the routers are Cisco products, you can configuring routing
(exactly how depends on the routing protocol used) so that traffic for
each site should never go through the "wrong" firewall under normal
circumstances, but traffic can still fail over automatically.


Kevin Kadow
_______________________________________________
Sidewinder mailing list
Sidewinder@adeptech.com
http://mail.adeptech.com/mailman/listinfo/sidewinder
[prev in list] [next in list] [prev in thread] [next in thread]