cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1307
Views
20
Helpful
14
Replies

PIX 525 failover

insccisco
Level 1
Level 1

Hi Guys,

I have 2 525s and they are doing failover.

This is my first affair with pix failovers so I want to know if I can get the running config of the stand-by PIX from the active one?

thanks

14 Replies 14

JORGE RODRIGUEZ
Level 10
Level 10

You can simply telnet to the standby unit and do "show run" if you do not know the ip of standby, issue on primary pix show failover you will get output on standby ip.. also show failover will tell failover status, if ok, then your standby running config should be identical as primary.

HTH

Jorge

Jorge Rodriguez

That is my problem as every time I do "sh failover", this is what I get:

PIX525#sh failover

Failover On

Cable status: Normal

Failover unit Primary

Failover LAN Interface: N/A - Serial-based failover enabled

Unit Poll frequency 15 seconds, holdtime 45 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 2 of 250 maximum

failover replication http

Version: Ours 7.2(2), Mate 7.2(2)

Last Failover at: 21:21:36 EST Mar 6 2008

This host: Primary - Active

Active time: 237825 (sec)

Interface outside (63.63.63.165): Normal (Waiting)

Interface inside (192.168.252.2): Normal (Waiting)

Interface intf2 (0.0.0.0): Link Down (Not-Monitored)

Interface intf3 (0.0.0.0): Link Down (Not-Monitored)

Interface intf4 (0.0.0.0): Link Down (Not-Monitored)

Interface intf5 (0.0.0.0): Link Down (Not-Monitored)

Other host: Secondary - Standby Ready

Active time: 690 (sec)

Interface outside (0.0.0.0): Normal (Waiting)

Interface inside (0.0.0.0): Normal (Waiting)

Interface intf2 (0.0.0.0): Unknown (Not-Monitored)

Interface intf3 (0.0.0.0): Unknown (Not-Monitored)

Interface intf4 (0.0.0.0): Unknown (Not-Monitored)

Interface intf5 (0.0.0.0): Unknown (Not-Monitored)

Stateful Failover Logical Update Statistics

Link : Unconfigured.

PIX525#

Please to go over the physical connectivity on your standby unit with respect to outside interface and inside interface, does the standby pix inside connects to a switch and on same vlan just as the primary?, in other words, if you have two firewalls in failover each firewall interface connection to a switch for example must match the same vlan and actually be connected, the same goes for standby unit outside interface connection to a switch.. if you have these connected to a switch , you can issue "failover reset " to restart failover, of course do it in non production hours., could you post config of failover portion from your primary pix.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094ea7.shtml

Jorge Rodriguez

try consoling into the secondary unit and enter the command "failover".

Here's my running config. I think failover is not configured or perhaps is not configured properly.

Please advise

Angel, go over this link to configure failover/standby configuration under code 7.x, I'll be on and off the forum, if you have any questions let us know.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml

Jorge Rodriguez

Hi Jorge,

sorry for not getting back sooner... monday mornings.....

I am now back at full speed on this project. It seems to me that this firewall is not setup for failover. Please confirm.

Also, before I do go ahead and configure (with your help obviously :) ) this 525 for failover, I was doing some readings last night and found out that there are 2 types of failover: Active/Active failover and Active/Standby. (btw, that document is one of the documents I downloaded and read last night...) So, I want to ask you which is the best of them or which do you recommend?

The Active/Active seduces me a bit as it also does load balancing, but again I am not too experienced on PIX failovers. I am just thinking "hey, if the secondary PIX will just be sitting there not doing any work, perhaps we'll give it some".... but again, I will follow the best and most recommended setup

please advise

Hi, looking at your config output pix is not configured for failover , first you need to do is firewall licensese assesment.

On Primary " show version " output should tell you at the end the type of failover lisence, e.i FO means Failover only , your standby show version output should be UR for unrestricted, FO and UR is Failover/Standby scenario, I think if you have Active/Active then you will see lisence differenlty, I will look it up.

Make assesment of what type of cable failover is there from PIX1- to PIX2 to deternmined whether is lanbase failover etc.. since you cannot telnet to standby you will have to console to it to get show ver info etc..

In the meantime see table 9 for licensing info.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps2030/product_data_sheet09186a00800b0d85.html

Once you get assesment straight the link you read or the the one I provided in my second post gives example of standby/failover configuration .. I'll be more than happy to assist and Im very sure nepros will do as well.. I'll be off and on forum as Im a bit busy today.. but I'll try to lookup your model specs.

Rgds

Jorge

Jorge Rodriguez

Here it is.

This is from the only one I have access to. The other one I would have to go onsite and check it out.

Let me know if this PIX meets the requirements

thank you

Angel

This PIX has an Unrestricted license and as such would be able to do failover.

HTH

Rick

HTH

Rick

Great..

and what about the line that says "Active/Active" ?

Does this mean this 525 can only do Active/Active failover? or can it also do the Active/Standby type of failover?

Awesome. Thanks for confirming this. Looks like I'm all set in this PIX. For the backup PIX, do I need any kind of special license as well?

And yes, I read that article, as well as the one for Active/Active and the Active/Standby looks like the route to go.

But in which situations would you use Active/Active though? Distributing the load sounds like a good idea

active/active is when you have multiple contexts configured. if you have multiple contexts configured, you can't use VPN's.

you dont need any other special licenses.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: