Weird issue with PIX failover

Unanswered Question
Jun 6th, 2007

Hi.

My customer has 2 PIX 515e boxes. He has not configured any failover ip addresses. In the output of show failover, all the interfaces are in waiting state. BUT the failover is still working. It is weird because the configuration does not have any failvoer ip's configured.

Failover On

Cable status: Normal

Reconnect timeout 0:00:00

Poll frequency 15 seconds

Last Failover at: 23:15:21 IST Sat Jun 2 2007

This host: Primary - Active

Active time: 145650 (sec)

Interface outside (x.x.x.x): Normal (Waiting)

Interface inside (x.x.x.x)(Waiting)

Interface intf2 (x.x.x.x) Link Down (Shutdown)

Interface intf3 (x.x.x.x): Normal (Waiting)

Interface intf4 (127.0.0.1): Link Down (Shutdown)

Interface intf5 (127.0.0.1): Link Down (Shutdown)

Other host: Secondary - Standby

Active time: 0 (sec)

Interface outside (0.0.0.0): Normal (Waiting)

Interface inside (0.0.0.0): Normal (Waiting)

Interface intf2 (0.0.0.0): Link Down (Shutdown)

Interface intf3 (0.0.0.0): Normal (Waiting)

Interface intf4 (0.0.0.0): Link Down (Shutdown)

Interface intf5 (0.0.0.0): Link Down (Shutdown)

the configuration is:

failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address intf2

no failover ip address intf3

no failover ip address intf4

no failover ip address intf5

we tested by switching off the primary pix and to my surprise the standby pix took the IP addresses of the primary and traffic was flowing normally. Please let me know if this is normal.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

I will have to preface this with saying "I believe", as I am not 100% on my answer:

Then, "it depends".

If you have the Serial Failover cable attached, then even without a Failover IP address configured, the two PIX boxes will "know" each other, and keep their configurations syncronized. If you shut down the primary pix, the failover box will see the loss, and take over as the primary. They will NOT have any State or Session activity, so current connections will drop, and need to be re-established. Adding the failover interface and cables will allow State infomation to be maintained, so connections will not drop. (Important for Citrix or Mainframe connectivity)

If there is no Failover cable attached, then this would not be normal.

HTH.

Russ

Actions

This Discussion