Of those using the fail-open kits, how has your experience been with them?
Apart from the initial setup information, there doesn't seem to be much info on them on the Mcafee site.
We have some, and it's hit and miss. Some work great, and others have caused us huge amounts of grief (I just had a kit fail to come online and had to wait for it to time out, taking a site offline for 3 minutes). Same kit worked fine 4 weeks ago when it last was brought online.
Are there certain ...errr...vendor incompatibilities. As in, do the kits not function great in certain setups or with certain vendors or specific products?
I've run a couple of demos with M4050, M6050 and i-3000 series all of them with SX fiber FOK. I had some link problems connected to Juniper equipments with i-3000, but with Cisco and Nortel switches no problems at all. With M4050 I had multilink etherchannel topology with no problems nor almost packet loses when attaching or detaching links. With M6050 I had just one link connected to and when I shut down the NSP interface it only missed two-three ping packets I was running as a connection test.
There always be a possibility of some connection problem at link layer when you connect network devices, with McAfee FOK I don't think we should talk about incompatibilities or reliability. In my humble opinion the key point is make a good presales job and demo in customer premises to avoid any trouble.
I hope my experience helps you.
Unfortunatly, our experience with the kits hasn't been that great.
For example, I have a kit configured on copper, forced to 100 Mb full duplex, between 2 switches, also forced @ 100 Mbit full duplex.
I took down the kit on Friday (It interferes with our Foundstone scans despite ACL's). We did our scans over the weekend.
I tried to bring the kit up this morning....instead of coming right back....it just timed out....180 seconds....I have a whole site of people ticked off at me cause I killed their WAN link.
I have another copper kit, at gig auto, between a firewall and a switch, with both @ gig auto....Try to bring the kit online, and only one side comes up. Tried swapping ports to see if I had a bad cable or GBIC, I can "move" the problem to another port (As in A to B or B to A), but can't resolve it (yet)
And I have a a fibre kit. I have the same gear 3 times over (3 way FW cluster). 2 kits come up almost instantly...1 kit take 45 seconds to come up...
GRRR....when they work great, they are awesome, but when they have issues, it's a messy issue.
Although I can't speak to the individual experiences mentioned here with fail open kits, but I did track down the official MTBF for these kits. That's "Mean time between failure" and from the vendor, these are rated at 2,272,980hrs (or 259 years), which is a heck of a long time J
Also, I have notice that a lot of times problems on FO kits comes from the pier devices negotiating through these devices. Not to discount that fact that some FO kits may just be defective, but often the pier devices may be running auto MDX, which may jump in and do funny things on links even if the speed/duplex is hard coded. I always recommend hard coded speed/duplex whenever possible, and disabling auto MDX as well… But often times whatever works the most reliably is the reality. Also, a health round of up/down testing during a change window is nice, so you aren’t caught by surprise at 2am when something does go down! CheersMessage was edited by: Steve Grossenbacher on 3/19/10 12:41:23 PM CDT
The negotiation could be causing some problems and another recommendation is to have port fast enabled on the switches. I do find it interesting that you recommend hard coding the ports but the Mcafee engineering team recomends setting the interfaces to auto.
It has to be careful about hardcode any interface type. Fast Ethernet and Gigabit Ethernet operation are different and the scenario could be more sensitive if you are using Gigabit interfaces and external Fail Open kits. Please refer to KB50316 it explains in a clear way interface duplex and speed considerations and whether to apply hardcoding.