PIX failover troubleshooting

Unanswered Question
Jun 13th, 2008


I have a PIX 525 in failover. Two weeks ago I did an update of the Version to Version 7.2(4).

I was applying an ACL when the PIX made the failover, but it doesn't synchronize well, the primary PIX shows "Failed" and the configuration was deleted.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Farrukh Haroon Mon, 06/16/2008 - 09:14

Have you tried debugging for failover?

debug fover ?

Also are both units running same version now.



carolinac Tue, 06/17/2008 - 07:22


Yes, both have the same activation key and the same version. It worked very well the last 3 weeks.

I didn't made the debug because it is in production and this can generate an increase in the processing. I have activated the failover again and now it is working well.

But the question is why this happened and why the configuration was erased. This could be a debug of the new version?

carolinac Fri, 06/20/2008 - 06:17


I have another problem. Yesterday the pix made the failover, but now i don't have access by ssh and the configuration is correct. By telnet and by ASDM i have access.

Is there any problem with the Version 7.2(4) ?

carolinac Fri, 06/20/2008 - 14:43

Yes, i did it and now i have access by ssh, but why is happening this when it made the failover?


Farrukh Haroon Sat, 06/21/2008 - 00:02

I don't think this is the normal behaviour. 'Why' could be anything, bug, mal-function etc. There is no specific answer I can give you here.



carolinac Mon, 10/20/2008 - 13:26


The same problem occurs again 3 more times with the pix as i have posted on Jun 13, 2008. Is there any bug with the version 7.2(4)? Is better to downgrade the version?


Farrukh Haroon Mon, 10/20/2008 - 19:06

I would check the failover and interface vlans/cables very carefully.

Also check 'show failover history' as to WHY the failover is happening.



weets08300 Thu, 07/24/2008 - 07:31

Hi all,

I have a problem too about failover and ssh.

I've tried to re-generate the RSA key but it didn't work.

My problem is following :

I have two ASA 5505 on 8.02 soft, the same configuration, same version about everything, in failover active/standby.

When a failover occurs : example the asa01 failed so the asa02 get active but before this moment it's possible to connect with ssh on the two asa. When the asa01 unfailed, it's impossible to me to connect it with ssh connection. And if I force the active asa to get standby, it's impossible to get connection on the standby.

Is there any problems with the 8.0(2)version?

weets08300 Thu, 07/24/2008 - 23:55

I have a second question, what did you mean when in the documentation you say :

When you configure LAN-based failover, you must bootstrap the secondary device to recognize the failover link before the secondary device can obtain the running configuration from the primary device.

Thanks a lot.

Farrukh Haroon Sat, 07/26/2008 - 00:33

Usually the secondary box is kept shut untill the primary one is completely configured. They would probably mean you have to start the second box to get its configuration synced with the primary unit. It is a best practice to ping the failover IPs before enabling failover, to avoid loosing the configuration in scenarios where both devices think they are 'Active' (for example if both are rebooted due to power failure and there is no failover communication).



rush2amol Mon, 10/20/2008 - 22:08

You need to save the ssh key seperately using the ca save all command. The wr mem save the running configuration but does not save the ssh rsa keys.

Further change the patch cords connected to the pix if it frequently goes on failover. Also check the show interface output of the interfaces connected to the pix to check for any physical or datalink errors.

nomair_83 Tue, 06/17/2008 - 03:54

Check the IOS, It should be same.

The number of active (up) interfaces in primary ASA should be same in secondry interface else it will show "failed".

just type no failover and shut down the failover interface and check both ASA then enable it again.


This Discussion