PIX 525 failover

Unanswered Question
Mar 9th, 2008
User Badges:

Hi Guys,

I have 2 525s and they are doing failover.

This is my first affair with pix failovers so I want to know if I can get the running config of the stand-by PIX from the active one?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
JORGE RODRIGUEZ Sun, 03/09/2008 - 19:14
User Badges:
  • Green, 3000 points or more

You can simply telnet to the standby unit and do "show run" if you do not know the ip of standby, issue on primary pix show failover you will get output on standby ip.. also show failover will tell failover status, if ok, then your standby running config should be identical as primary.



insccisco Sun, 03/09/2008 - 19:29
User Badges:

That is my problem as every time I do "sh failover", this is what I get:

PIX525#sh failover

Failover On

Cable status: Normal

Failover unit Primary

Failover LAN Interface: N/A - Serial-based failover enabled

Unit Poll frequency 15 seconds, holdtime 45 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 2 of 250 maximum

failover replication http

Version: Ours 7.2(2), Mate 7.2(2)

Last Failover at: 21:21:36 EST Mar 6 2008

This host: Primary - Active

Active time: 237825 (sec)

Interface outside ( Normal (Waiting)

Interface inside ( Normal (Waiting)

Interface intf2 ( Link Down (Not-Monitored)

Interface intf3 ( Link Down (Not-Monitored)

Interface intf4 ( Link Down (Not-Monitored)

Interface intf5 ( Link Down (Not-Monitored)

Other host: Secondary - Standby Ready

Active time: 690 (sec)

Interface outside ( Normal (Waiting)

Interface inside ( Normal (Waiting)

Interface intf2 ( Unknown (Not-Monitored)

Interface intf3 ( Unknown (Not-Monitored)

Interface intf4 ( Unknown (Not-Monitored)

Interface intf5 ( Unknown (Not-Monitored)

Stateful Failover Logical Update Statistics

Link : Unconfigured.


JORGE RODRIGUEZ Sun, 03/09/2008 - 19:53
User Badges:
  • Green, 3000 points or more

Please to go over the physical connectivity on your standby unit with respect to outside interface and inside interface, does the standby pix inside connects to a switch and on same vlan just as the primary?, in other words, if you have two firewalls in failover each firewall interface connection to a switch for example must match the same vlan and actually be connected, the same goes for standby unit outside interface connection to a switch.. if you have these connected to a switch , you can issue "failover reset " to restart failover, of course do it in non production hours., could you post config of failover portion from your primary pix.


srue Sun, 03/09/2008 - 20:11
User Badges:
  • Blue, 1500 points or more

try consoling into the secondary unit and enter the command "failover".

insccisco Mon, 03/10/2008 - 04:46
User Badges:

Here's my running config. I think failover is not configured or perhaps is not configured properly.

Please advise

insccisco Mon, 03/10/2008 - 09:04
User Badges:

Hi Jorge,

sorry for not getting back sooner... monday mornings.....

I am now back at full speed on this project. It seems to me that this firewall is not setup for failover. Please confirm.

Also, before I do go ahead and configure (with your help obviously :) ) this 525 for failover, I was doing some readings last night and found out that there are 2 types of failover: Active/Active failover and Active/Standby. (btw, that document is one of the documents I downloaded and read last night...) So, I want to ask you which is the best of them or which do you recommend?

The Active/Active seduces me a bit as it also does load balancing, but again I am not too experienced on PIX failovers. I am just thinking "hey, if the secondary PIX will just be sitting there not doing any work, perhaps we'll give it some".... but again, I will follow the best and most recommended setup

please advise

JORGE RODRIGUEZ Mon, 03/10/2008 - 10:31
User Badges:
  • Green, 3000 points or more

Hi, looking at your config output pix is not configured for failover , first you need to do is firewall licensese assesment.

On Primary " show version " output should tell you at the end the type of failover lisence, e.i FO means Failover only , your standby show version output should be UR for unrestricted, FO and UR is Failover/Standby scenario, I think if you have Active/Active then you will see lisence differenlty, I will look it up.

Make assesment of what type of cable failover is there from PIX1- to PIX2 to deternmined whether is lanbase failover etc.. since you cannot telnet to standby you will have to console to it to get show ver info etc..

In the meantime see table 9 for licensing info.


Once you get assesment straight the link you read or the the one I provided in my second post gives example of standby/failover configuration .. I'll be more than happy to assist and Im very sure nepros will do as well.. I'll be off and on forum as Im a bit busy today.. but I'll try to lookup your model specs.



insccisco Tue, 03/11/2008 - 09:52
User Badges:

Here it is.

This is from the only one I have access to. The other one I would have to go onsite and check it out.

Let me know if this PIX meets the requirements

thank you

Richard Burts Tue, 03/11/2008 - 10:57
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


This PIX has an Unrestricted license and as such would be able to do failover.



insccisco Tue, 03/11/2008 - 10:59
User Badges:


and what about the line that says "Active/Active" ?

Does this mean this 525 can only do Active/Active failover? or can it also do the Active/Standby type of failover?

insccisco Tue, 03/11/2008 - 11:16
User Badges:

Awesome. Thanks for confirming this. Looks like I'm all set in this PIX. For the backup PIX, do I need any kind of special license as well?

And yes, I read that article, as well as the one for Active/Active and the Active/Standby looks like the route to go.

But in which situations would you use Active/Active though? Distributing the load sounds like a good idea

srue Tue, 03/11/2008 - 11:47
User Badges:
  • Blue, 1500 points or more

active/active is when you have multiple contexts configured. if you have multiple contexts configured, you can't use VPN's.

you dont need any other special licenses.


This Discussion