Can I use a Failover Only Licensed PIX by itself

Unanswered Question
Jun 1st, 2007

My employer is small and wants to use a Failover Only PIX by itself. They had it as part of their network, obviously as a Failover to another PIX. I can connect through the console cable and IP's are in place but I can't ping or tftp to the inside port. I see it up/up.

Please help me and tell me that I need to upgrade to at least a restricted license.

Thanks

Dewboy

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (4 ratings)
Loading.
bamnocadmin Fri, 06/01/2007 - 08:38

Hello,

Here is from PIX Configuration Guide:

The PIX Firewall with the FO license is intended to be used solely for failover and not in standalone mode. If a failover unit is used in standalone mode, the unit will reboot at least once every 24 hours until the unit is returned to failover duty.

Thanks.

Dewboy691 Mon, 06/04/2007 - 05:35

I know that it will reboot every 24 hours, but what I'm having a problem with is that I can't even ping the inside interface. The laptop and interface are on the same subnet so I should at least get a ping. What am I doing wrong? Should I post my config?

bamnocadmin Mon, 06/04/2007 - 06:06

Please post your config. I tried to access PIX with failover only in my lab and it works.

Thanks.

Dewboy691 Mon, 06/04/2007 - 06:12

Here it is. As you can see there are a few lines that aren't necessary but I was trying anything.

PIX Version 6.3(4)

interface ethernet0 auto shutdown

interface ethernet1 auto

interface ethernet2 auto shutdown

interface ethernet3 auto shutdown

interface ethernet4 auto shutdown

interface ethernet5 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security4

nameif ethernet3 intf3 security6

nameif ethernet4 intf4 security8

nameif ethernet5 intf5 security10

enable password xxxxxxx encrypted

passwd xxxxxxx encrypted

hostname BedrockPix

domain-name Bedrock

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

pager lines 24

icmp permit 192.168.0.0 255.255.0.0 inside

mtu outside 1500

mtu inside 1500

mtu intf2 1500

mtu intf3 1500

mtu intf4 1500

mtu intf5 1500

no ip address outside

ip address inside 192.168.9.135 255.255.255.0

no ip address intf2

no ip address intf3

no ip address intf4

no ip address intf5

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address intf2

no failover ip address intf3

no failover ip address intf4

no failover ip address intf5

pdm history enable

arp timeout 14400

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.10 255.255.255.255 inside

http 192.168.9.136 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 0.0.0.0 0.0.0.0 inside

telnet 192.168.1.10 255.255.255.255 inside

telnet 192.168.9.136 255.255.255.255 inside

telnet 192.168.9.104 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

management-access inside

console timeout 0

username xxxxxxx password xxxxxx encrypted privilege 15

terminal width 80

Cryptochecksum:5e8d4a2dc25d4f48835921976f5d9869

: end

ggilbert Mon, 06/04/2007 - 08:07

What is the IP address and subnet mask on your laptop?

Enable the debug " debug icmp trace"

then try to ping see if the PIX does see the icmp and does it reply?

Hope this helps.

Thanks,

Gilbert

Dewboy691 Mon, 06/04/2007 - 09:39

IP address on my laptop is 192.168.9.136 255.255.255.0

I did the debug command before and again this time and same thing. 0 responses. I get up/up on the interface and I get a connection on the laptop interface (so I know that electricity is flowing). Does it have to be a crossover cable? I put a linksys workgroup switch between them and got the same result.

Here is my IPconfig for my laptop.

IP Address. . . . . . . . . . . . : 192.168.9.136

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.9.135

Thanks again for your suggestions.

Joe

ggilbert Mon, 06/04/2007 - 11:39

Joe,

Can you issue the command "interface ethernet1 100full"

And also, plug the PC directly into the inside interface of the PIX firewall.

After that, can you issue the command " sh interface" on the PIX and see if the interface is UP and the protocol is UP.

Thanks

gilbert

Dewboy691 Mon, 06/04/2007 - 12:08

Gilbert or anyone,

I tried this before and it still didn't work. I tried it again just now and now it shows up/down. I hook it up to the switch and it shows up/up. Ay Caramba!!

Any ideas?

Joe

ggilbert Mon, 06/04/2007 - 12:14

Seems like your PC has some problems.

Get another PC and try it out.

Cheers,

Gilbert

Dewboy691 Mon, 06/04/2007 - 12:36

Tried it with a whole new server (brand new) same IP address. Interface shows up/up but I still can't ping. I even moved the cable, IP address, and all reference to the inside interface to intf5 (4 port ethernet card is in the PIX) and it still didn't work.

Is anyone 100% sure a Failover ONLY license will work by itself? I'm willing to sell the new license to my bosses IF I know it's that and not them just throwing $400 away and the config was wrong.

Joe

grahambartlett Tue, 10/09/2007 - 07:19

Mate - you can run this fine (I have one at home ;-) ).

Sounds like your failover is activing like the failover unit - you need to make this the primary, can you enter "failover" in global config, this will then make the unit the primary and this will work ;-)

Actions

This Discussion