PIX 515E

Answered Question

We are currently using PIX 515E with OS 7.0. We have some problems with email traffic and suspect the firewall is doing some funny things, so we decided to upgrade to OS 7.2. We have a redundant firewall with the same model and same configuration without failover. Our failover is manual.

We do not know what may happen after upgrading to 7.2, so we upgraded the redundant firewall first. The upgrade is smooth and we have 7.2 loaded with 5.2 ASDM. However, after we have switch our main 10MB to the redundant firewall, no traffic neither coming in nor going out. We have fully shutdown and restart the 10MB modem before turning the redundant firewall on. A workstation can see the firewall but without getting out onto the internet. On the firewall, we are able to ping www.google.com on the outside interface but a workstation behind it is unable to.

After putting back the 10MB connection to the original firewall which has 7.0 OS, it work immediately.

We also have an redundant ADSL internet connection in the office, we have tried to put the ADSL connection on the firewall and reconfigure the IP address, we are able to access the internet at least.

Can someone please help and suggest what I should do next to get this resolved?

Thank you.

I have this problem too.
0 votes
Correct Answer by felixjai about 8 years 2 months ago

It is probably because your cold-standby redundant PIX has a different MAC address on the outside interface.

When you put the redundant PIX to the 10mb pipe, the upstream ISP router still has the ARP MAC cached into its RAM for the original PIX. The ARP entries for the original PIX need to be cleared or timed out in order for the router to learn the new MAC from the redundant PIX. I'm not sure what type of 10mb Internet you have. But usually power cycle the upstream router or equipment after switching to the redundant PIX should do the trick. If not, call your ISP, and have them check the upstream ISP router. See if they match the MAC of your redundant PIX for the ARP entries.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
felixjai Wed, 09/17/2008 - 08:42

It is probably because your cold-standby redundant PIX has a different MAC address on the outside interface.

When you put the redundant PIX to the 10mb pipe, the upstream ISP router still has the ARP MAC cached into its RAM for the original PIX. The ARP entries for the original PIX need to be cleared or timed out in order for the router to learn the new MAC from the redundant PIX. I'm not sure what type of 10mb Internet you have. But usually power cycle the upstream router or equipment after switching to the redundant PIX should do the trick. If not, call your ISP, and have them check the upstream ISP router. See if they match the MAC of your redundant PIX for the ARP entries.

Actions

This Discussion