Two PIX525 Configuration with Different OS ver

Unanswered Question
Feb 5th, 2008

Can someone help my follwing problem:

I have two PIX525, one is in production (Version 6.2(1)) and one is standby (Version 6.3(5)). Both PIX525 are UR license with the same configuration. The plan is if the production PIX525 was failed, we can switch the network to the standby PIX525. The standby PIX525 does not connect to the network when the production PIX525 is running. (This is not Failover connection.)

When I tested the standby PIX525 in the production environment, it was failed. During this test, I could ping the IP address of inside and outside interface. But the port 80 traffic could not pass through the standby PIX525. I also noticed that there was an error in the syslog during the test:

"(Secondary) Failover cable not connected (this unit)"

I am not sure why it came out the above error message during the test. The Failover is disabled and no failover cable is connected to the standby PIX525.

When the standby PXI525 was replaced by the production PIX525 (connected back to the same network), everything worked fine.

Here is the “sh run” of production PIX525 (working PIX):

PIX525# sh run

PIX Version 6.2(1)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx

passwd xxx

hostname PIX525

domain-name ciscopix.com

fixup protocol http 80

fixup protocol http 443

names

access-list acl_out permit tcp any host x.x.x.x eq www

access-list acl_out permit tcp any host x.x.x.x eq https

pager lines 24

interface ethernet0 100full

interface ethernet1 100full

mtu outside 1500

mtu inside 1500

ip address outside x.x.x.x 255.255.254.0

ip address inside x.x.x.x 255.255.0.0

no failover

failover timeout 0:00:00

failover poll 15

failover ip address outside 0.0.0.0

failover ip address inside 0.0.0.0

failover ip address intf2 0.0.0.0

failover ip address intf3 0.0.0.0

pdm history enable

arp timeout 14400

global (outside) 1 x.x.x.x-x.x.x.x netmask 255.255.254.0

global (outside) 1 x.x.x.x netmask 255.255.254.0

nat (inside) 1 x.x.x.x 255.255.0.0 0 0

static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0

static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0

access-group acl_out in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

no sysopt route dnat

Here is the “sh run” of standby PIX525 (not working):

PIX525# sh run

PIX Version 6.3(5)

interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password iV.bykN9za7xaE.x encrypted

passwd iV.bykN9za7xaE.x encrypted

hostname PIX525

domain-name ciscopix.com

fixup protocol http 80

fixup protocol http 443

names

access-list acl_out permit tcp any host x.x.x.x eq www

access-list acl_out permit tcp any host x.x.x.x eq https

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside x.x.x.x 255.255.254.0

ip address inside x.x.x.x 255.255.0.0

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

pdm history enable

arp timeout 14400

global (outside) 1 x.x.x.x-x.x.x.x netmask 255.255.254.0

global (outside) 1 x.x.x.x netmask 255.255.254.0

nat (inside) 1 x.x.x.x 255.255.0.0 0 0

static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0

static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0

access-group acl_out in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

Thanks. -Simon

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
srue Tue, 02/05/2008 - 10:05

how long did you leave the standby 525 in place before calling it quits since it wasn't working properly?

There may have been some arp cache problems on any/all devices connected to it.

clear the arp cache on any attached devices/hosts you have problems with next time you try this.

Basically, surrounding devices have a different MAC for the firewall's IP so it needs to be cleared on all the other devices...or just let it time out naturally.

simonli007 Tue, 02/05/2008 - 14:29

I rebooted all the switches on the network after connecting the standby PIX525 to the production environment. I believe it would clear all the arp cache. I was also able to ping both inside and outside IP during the test. But when I browsed the website either from inside to outside or from outside to inside, neither will work. The syslog server received a error message during the test:

"(Secondary) Failover cable not connected (this unit)"

I am not sure why standby PIX525 generated the above error message. Is it possible that the standby PIX525 did not work is because the above error message? But I don't know how to get rid of the above error message.

Thank you very much for your reply.

srue Tue, 02/05/2008 - 15:37

you need to check the license on the 525 and make sure it's not a failover license.

simonli007 Tue, 02/05/2008 - 15:42

The "sh ver" shows it is UR license.

Thanks again for your reply.

simonli007 Tue, 02/05/2008 - 16:18

I also noticed the difference between the production PIX525 and stnadby PIX525 regarding the failover configuration:

Production PIX525:

no failover

failover timeout 0:00:00

failover poll 15

failover ip address outside 0.0.0.0

failover ip address inside 0.0.0.0

Standby PIX525:

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

Will it cause any problem on standby PIX525?

Is there any other possibility to cause the error message in syslog?

Thanks.

simonli007 Tue, 02/05/2008 - 17:10

yes, all switches and standby PIX525 were rebooted during the test in production environment. But it still did not work.

Any other thought that could cause this weird problem?

Thanks for your reply

sivakondalarao Wed, 02/06/2008 - 01:42

Hi,

I suggest you to simulate the setup as minimal as possible to troubleshoot this issue with standby pix.

regards

skrao

simonli007 Wed, 02/06/2008 - 09:19

Thanks for your suggestion.

I am very curious why the standby PIX525 is UR license and failover is disabled but it generates the following message in the syslog server during the test:

"(Secondary) Failover cable not connected (this unit)"

I suspect this is the problem caused the standby PIX525 did not work. Can anyone help to answer my question.

Thanks.

Simon

Actions

This Discussion