I am thinking of using a HA pair of Astaros to replace a (much more expensive) pair of Nokia/Checkpoint firewalls. I am trying to compare the functionality of these products. So far, there are two big issues that I have with the performance of the HA mode:
1) Since the Astaro solution does not use a virtual address (as in VRRP), ARP caching becomes a problem. It can take up to ten minutes for a Windoze machine to get a clue and drop the old ARP entry.
2)The failover works great, as long as the problem is with the hardware or software of the firewall itself. However, the system is ignorant of failures of upstream or downstream devices. I can unplug both the internal and external interfaces of the active firewall and it chugs along happily, unaware of its isolation. This creates several intolerable SPOFs.
If I can get past these issues, the Astaro solution looks very attractive. Can anyone come up with solutions to mitigate any of the above? I have come up with these so far:
1) It is possible to change the behavior of the ARP caching on systems. I have little experience in mucking about with this, though? Anyone have any advice?
2) I could put the crossover connection on a separate VLAN on the switch, instead of using a crossover cable. This way, a failure in the switch causes failover. However, this doesn't work if I have different pairs of switches servicing my external and internal networks, nor does it help me if I simply have a failure in a NIC port or a cable
I appreciate any advice anyone can give,
Brent
This thread was automatically locked due to age.
