PIX failing over unexpectedly?

Answered Question
Jul 2nd, 2007
User Badges:

Hello,


We have two PIX515E(failover via serial cable). Ever since we physically relocated the two firewalls, it's been failing over to secondary then back to primary. It happened three times within a span of three months. I verified that there was no trend in the timing of the failover, it just happens sporatically. We do not have Syslog setup yet, so I do not have any logs to attach.

This is what i get with the "sh failover" command:

****************

*PIX Firewall-1*

*//10.10.10.1//*

****************

Failover On

Cable status: Normal

Reconnect timeout 0:00:00

Poll frequency 15 seconds

Last Failover at: <time here> PDT <date here>

This host: Primary - Active

Active time: 39630 (sec)

Interface dmz1 (10.10.1.1): Normal

Interface inside (10.10.10.1): Normal

Interface dmz2 (10.10.2.1): Normal

Interface dmz3 (10.10.3.1): Normal

Interface dmz4 (10.10.4.1): Normal

Interface dmz5 (10.10.5.1): Normal

Other host: Secondary - Standby

Active time: 165180 (sec)

Interface dmz1 (10.10.1.2): Normal

Interface inside (10.10.10.2): Normal

Interface dmz2 (10.10.2.2): Normal

Interface dmz3 (10.10.3.2): Normal

Interface dmz4 (10.10.4.2): Normal

Interface dmz5 (10.10.5.2): Normal


Stateful Failover Logical Update Statistics

Link : Unconfigured.


****************

*PIX Firewall-2*

*//10.10.10.2//*

****************

Failover On

Cable status: Normal

Reconnect timeout 0:00:00

Poll frequency 15 seconds

Last Failover at: <time here> PDT <date here>

This host: Secondary - Standby

Active time: 165180 (sec)

Interface dmz1 (10.10.1.2): Normal

Interface inside (10.10.10.2): Normal

Interface dmz2 (10.10.2.2): Normal

Interface dmz3 (10.10.3.2): Normal

Interface dmz4 (10.10.4.2): Normal

Interface dmz5 (10.10.5.2): Normal

Other host: Primary - Active

Active time: 39630 (sec)

Interface dmz1 (10.10.1.1): Normal

Interface inside (10.10.10.1): Normal

Interface dmz2 (10.10.2.1): Normal

Interface dmz3 (10.10.3.1): Normal

Interface dmz4 (10.10.4.1): Normal

Interface dmz5 (10.10.5.1): Normal


Stateful Failover Logical Update Statistics

Link : Unconfigured.



I was wondering if anyone had any ideas why this is happening.


Thanks,

-Lee


Correct Answer by JBDanford2002 about 9 years 10 months ago

Possibly one of the connected interfaces is losing connectivity to the other PIX. What other devices are connected? Do you have logging on them? Maybe spanning tree problems etc...

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Correct Answer
JBDanford2002 Mon, 07/02/2007 - 15:08
User Badges:

Possibly one of the connected interfaces is losing connectivity to the other PIX. What other devices are connected? Do you have logging on them? Maybe spanning tree problems etc...

lalcantara Tue, 07/03/2007 - 11:58
User Badges:

How simple was that! A few switch ports that the PIX interfaces was plugged into was negotiating incorrectly(duh!). There was a huge amount of collisions/late collisions and deferred packet losses. So I just forced the duplex & speed on the switch ports, until now there are no reported collisions.

Thank you!

Actions

This Discussion