04-02-2007 05:27 AM - edited 03-11-2019 02:54 AM
Hello all,
A question again !
I have two PIX 515-E, one with UR licence and the other with FO licence only.
Both serial cable (not really serial but you understand me) and ethernet cable are connected for the failover.
Why?? Both are near. When I do a sho faiover i see that ethernet is : N/A.
The guy who configured before me this device said me that it was cisco who told him to make this confiugration with both cable.
Can you explain me why? To maintain session??? I belived that it's only when you use serial cable that your session is saved.
Thank you a lot for your answer.
Solved! Go to Solution.
04-02-2007 05:33 AM
There are two parts to failover. One is required, the other is optional. Let me explain:
1) Serial vs. LAN failover (required)
2) Stateful failover (optional)
For #1, you must choose to use the serial cable or an ethernet interface to send the failover configuration information to the peer.
For #2, you can optionally enable stateful failover (which is an ethernet interface only) and this replicate the state of the connections/xlates/etc from the Active to the Standby (high recommended so that failovers do not have any impact on users).
If your PIXes are close by, I would suggest using Serial failover along with stateful failover (for state replication). This may be what you have configured. If you want to send the output of :
show run | inc failover
show failover
We can have a look.
Hope it helps,
David.
04-02-2007 05:33 AM
There are two parts to failover. One is required, the other is optional. Let me explain:
1) Serial vs. LAN failover (required)
2) Stateful failover (optional)
For #1, you must choose to use the serial cable or an ethernet interface to send the failover configuration information to the peer.
For #2, you can optionally enable stateful failover (which is an ethernet interface only) and this replicate the state of the connections/xlates/etc from the Active to the Standby (high recommended so that failovers do not have any impact on users).
If your PIXes are close by, I would suggest using Serial failover along with stateful failover (for state replication). This may be what you have configured. If you want to send the output of :
show run | inc failover
show failover
We can have a look.
Hope it helps,
David.
04-02-2007 05:44 AM
Hi David,
I understand!
I never take care of a line in the sho failover :
Stateful Failover Logical Update Statistics
Link : Failover Ethernet2 (up)
In fact I only read this where is N/A !:
Failover On
Cable status: Normal
Failover unit Primary
Failover LAN Interface: N/A - Serial-based failover enabled
Unit Poll frequency 15 seconds, holdtime 45 seconds
Thanks a lot. It's good for me.
FFF# sho run | grep fail
failover
failover replication http
failover link Failover Ethernet2
failover interface ip Failover X.X.X.X 255.255.255.0 standby Y.Y.Y.Y
pix# sho fail
Failover On
Cable status: Normal
Failover unit Primary
Failover LAN Interface: N/A - Serial-based failover enabled
Unit Poll frequency 15 seconds, holdtime 45 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 5 of 250 maximum
failover replication http
Version: Ours 7.2(1), Mate 7.2(1)
Last Failover at: 15:08:30 UTC Apr 2 2007
This host: Primary - Active
Active time: 1650 (sec)
Stateful Failover Logical Update Statistics
Link : Failover Ethernet2 (up)
Stateful Obj xmit xerr
I tried to disconnect the ethernet cable and the stateful go to Failed!
OK..
Good. Thank you guys..
04-02-2007 08:51 AM
Hi fargier,
A couple of comments:
From the "show failover" output, you have:
#######
Cable status: Normal
Failover unit Primary
Failover LAN Interface: N/A - Serial-based
#######
Since the "Cable status" is Normal, this means Serial failover is being used.
Also, the "Failover LAN Interface" (for LAN based failover) indicates N/A, because it tells you "Serial-based" failover is used.
The config line "failover link Failover Ethernet2" indicates you are doing Stateful failover as well (as you noticied).
One thing I would suggest is to disable the http replication, by removing the line:
failover replication http
This tells the PIX to replicate http connections (TCP/80) which it does not do by default. The reason is, HTTP connections are very short lived, and the overhead of replicating all this connections is high. So, unless you really need to replicate the HTTP connections, I would suggest against it. Some reasons to do it is if you have HTTP connections that are long-lived, or if you are tunneling another application over HTTP.
Sincerely,
David.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: