PIX failover troubleshooting

Unanswered Question
Jun 13th, 2008
User Badges:

Hi,


I have a PIX 525 in failover. Two weeks ago I did an update of the Version to Version 7.2(4).

I was applying an ACL when the PIX made the failover, but it doesn't synchronize well, the primary PIX shows "Failed" and the configuration was deleted.


Thanks,


Carolina


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Farrukh Haroon Mon, 06/16/2008 - 09:14
User Badges:
  • Red, 2250 points or more

Have you tried debugging for failover?


debug fover ?


Also are both units running same version now.


Regards


Farrukh

carolinac Tue, 06/17/2008 - 07:22
User Badges:

Hi


Yes, both have the same activation key and the same version. It worked very well the last 3 weeks.


I didn't made the debug because it is in production and this can generate an increase in the processing. I have activated the failover again and now it is working well.


But the question is why this happened and why the configuration was erased. This could be a debug of the new version?

carolinac Fri, 06/20/2008 - 06:17
User Badges:

Hi,


I have another problem. Yesterday the pix made the failover, but now i don't have access by ssh and the configuration is correct. By telnet and by ASDM i have access.


Is there any problem with the Version 7.2(4) ?


Farrukh Haroon Fri, 06/20/2008 - 12:26
User Badges:
  • Red, 2250 points or more

Try to re-generate the SSH keys


crypto key generate rsa


Regards


Farrukh

carolinac Fri, 06/20/2008 - 14:43
User Badges:

Yes, i did it and now i have access by ssh, but why is happening this when it made the failover?


thanks

Farrukh Haroon Sat, 06/21/2008 - 00:02
User Badges:
  • Red, 2250 points or more

I don't think this is the normal behaviour. 'Why' could be anything, bug, mal-function etc. There is no specific answer I can give you here.


Regards


Farrukh

carolinac Mon, 10/20/2008 - 13:26
User Badges:

Hi


The same problem occurs again 3 more times with the pix as i have posted on Jun 13, 2008. Is there any bug with the version 7.2(4)? Is better to downgrade the version?


Thanks



Farrukh Haroon Mon, 10/20/2008 - 19:06
User Badges:
  • Red, 2250 points or more

I would check the failover and interface vlans/cables very carefully.


Also check 'show failover history' as to WHY the failover is happening.


Regards


Farrukh

weets08300 Thu, 07/24/2008 - 07:31
User Badges:

Hi all,

I have a problem too about failover and ssh.

I've tried to re-generate the RSA key but it didn't work.

My problem is following :

I have two ASA 5505 on 8.02 soft, the same configuration, same version about everything, in failover active/standby.

When a failover occurs : example the asa01 failed so the asa02 get active but before this moment it's possible to connect with ssh on the two asa. When the asa01 unfailed, it's impossible to me to connect it with ssh connection. And if I force the active asa to get standby, it's impossible to get connection on the standby.


Is there any problems with the 8.0(2)version?



weets08300 Thu, 07/24/2008 - 23:55
User Badges:

I have a second question, what did you mean when in the documentation you say :

When you configure LAN-based failover, you must bootstrap the secondary device to recognize the failover link before the secondary device can obtain the running configuration from the primary device.

Thanks a lot.

Farrukh Haroon Sat, 07/26/2008 - 00:33
User Badges:
  • Red, 2250 points or more

Usually the secondary box is kept shut untill the primary one is completely configured. They would probably mean you have to start the second box to get its configuration synced with the primary unit. It is a best practice to ping the failover IPs before enabling failover, to avoid loosing the configuration in scenarios where both devices think they are 'Active' (for example if both are rebooted due to power failure and there is no failover communication).


Regards


Farrukh

rush2amol Mon, 10/20/2008 - 22:08
User Badges:

You need to save the ssh key seperately using the ca save all command. The wr mem save the running configuration but does not save the ssh rsa keys.


Further change the patch cords connected to the pix if it frequently goes on failover. Also check the show interface output of the interfaces connected to the pix to check for any physical or datalink errors.


nomair_83 Tue, 06/17/2008 - 03:54
User Badges:
  • Bronze, 100 points or more

Check the IOS, It should be same.


The number of active (up) interfaces in primary ASA should be same in secondry interface else it will show "failed".


just type no failover and shut down the failover interface and check both ASA then enable it again.


Actions

This Discussion