Secondary (Failover) Firewall not Sync-ing with Active Firewall

Unanswered Question
Sep 26th, 2008

Hello Everyone,

We have PIX-525 Active-Passive Firewall Pair. Recently, i changed the Public IP Configuration, Access Lists & NAT-ing configuration in the Active (Primary) Firewall. While doing the changes on the Active Firewall, the Secondary FW was down (powered off). We have Stateful Failover, with stateful cable connected between the serial ports of the 2 firewalls. After making the changes in Active Firewall & saving the configuration in the Active FW; i boot up the Secondary Firewall. However when i login, to the secondary FW, i can't see the new configuration. That is, the replication from the Active FW, didn't take place automatically. Can anyone through some light, as to why the secondary FW is not sync-ing with the Primary FW. Thanks in advance... Regards -- MOD

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Fri, 09/26/2008 - 12:33

Mod

what does the ouput of a "sh failover" on both the primary and secondary look like.

What happens if you do a "write standby" on the primary ?

Jon

moditsec12 Sat, 09/27/2008 - 06:27

1) sh failover from primary:

Primary_PIX# sh failover

Failover On

Cable status: Normal

Failover unit Primary

Failover LAN Interface: N/A - Serial-based failover enabled

Unit Poll frequency 15 seconds, holdtime 45 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 8 of 250 maximum

Version: Ours 7.2(4), Mate 7.2(4)

Last Failover at: 17:34:07 AST Aug 26 2008

This host: Primary - Active

Active time: 2761620 (sec)

Interface outside (x.x.x.x): Normal (Waiting)

Interface inside (x.x.x.x): Normal (Waiting)

Interface DMZ (x.x.x.x): Normal (Waiting)

Interface DMZ2 (x.x.x.x): Normal (Waiting)

Interface DMZ3 (x.x.x.x): No Link (Waiting)

Interface WAN_DMZ (0.0.0.0): Link Down (Waiting)

Interface gb-e0 (0.0.0.0): Link Down (Waiting)

Interface gb-e1 (0.0.0.0): Link Down (Waiting)

Other host: Secondary - Sync Config

Active time: 0 (sec)

Interface outside (0.0.0.0): Unknown

Interface inside (x.x.x.x): Unknown

Interface DMZ (x.x.x.x): Unknown

Interface DMZ2 (x.x.x.x): Unknown

Interface DMZ3 (x.x.x.x): Unknown (Waiting)

Interface WAN_DMZ (0.0.0.0): Unknown (Waiting)

Interface gb-e0 (0.0.0.0): Unknown (Waiting)

Interface gb-e1 (0.0.0.0): Unknown (Waiting)

Stateful Failover Logical Update Statistics

Link : DMZ3 Ethernet4 (Failed)

Stateful Obj xmit xerr rcv rerr

General 4456494 0 0 0

sys cmd 0 0 0 0

up time 0 0 0 0

RPC services 0 0 0 0

TCP conn 590896 0 0 0

UDP conn 3865598 0 0 0

ARP tbl 0 0 0 0

Xlate_Timeout 0 0 0 0

VPN IKE upd 0 0 0 0

VPN IPSEC upd 0 0 0 0

VPN CTCP upd 0 0 0 0

VPN SDI upd 0 0 0 0

VPN DHCP upd 0 0 0 0

Logical Update Queue Information

Cur Max Total

Recv Q: 0 0 0

Xmit Q: 0 1 4456494

Primary_PIX#

moditsec12 Sat, 09/27/2008 - 06:28

2) sh failover from secondary:

pixfirewall# sh failover

Failover On

Cable status: Normal

Failover unit Secondary

Failover LAN Interface: N/A - Serial-based failover enabled

Unit Poll frequency 15 seconds, holdtime 45 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 0 of 250 maximum

Version: Ours 7.2(4), Mate 7.2(4)

Last Failover at: 13:31:36 UTC Sep 27 2008

This host: Secondary - Sync Config

Active time: 0 (sec)

Other host: Primary - Active

Active time: 2762910 (sec)

Stateful Failover Logical Update Statistics

Link : DMZ3 Ethernet4 (down)

Stateful Obj xmit xerr rcv rerr

General 0 0 0 0

sys cmd 0 0 0 0

up time 0 0 0 0

RPC services 0 0 0 0

TCP conn 0 0 0 0

UDP conn 0 0 0 0

ARP tbl 0 0 0 0

Xlate_Timeout 0 0 0 0

VPN IKE upd 0 0 0 0

VPN IPSEC upd 0 0 0 0

VPN CTCP upd 0 0 0 0

VPN SDI upd 0 0 0 0

VPN DHCP upd 0 0 0 0

Logical Update Queue Information

Cur Max Total

Recv Q: 0 0 0

Xmit Q: 0 0 0

pixfirewall#

pixfirewall#

Unable to sync configuration from Active

.

========================= NOTICE =========================

This platform is licensed to run in

failover secondary mode only

==========================================================

Detected an Active mate

Unable to sync configuration from Active

.

========================= NOTICE =========================

This platform is licensed to run in

failover secondary mode only

==========================================================

Detected an Active mate

moditsec12 Sat, 09/27/2008 - 06:29

3) Write standby on the Primary:

Primary_PIX# wr standby

Building configuration...

Config replication in progress.... Please try later

[FAILED]

-------------------------------------

in Step 2) it shows "Unable to sync configuration from Active" & in step 3) it doesnt replicate, when the "wr standby" command is given.

Thanks & Regards

MOD

netbeginner Tue, 03/03/2015 - 22:53

Dear MOD,

 

I am also facing the exactly same problem while excuting "Wr Standby" on active ASA.

Config replication in progress.... Please try later
[FAILED]

 

Sh failover result is also same as like you were facing. Pls guide , how you resolved this problem.

 

Rgds

***

JacquesLayman Thu, 06/04/2015 - 14:40

I'm also having the same problem. Can someone please advise as to how to for a sync between my the primary and secondary. We only powered off the primary to move it down in the rack and now it standing still by "Sync Config"

 

Last Failover at: 12:52:49 UTC Jan 27 2015
        This host: Primary - Active
                Active time: 11064646 (sec)
                slot 0: ASA5525 hw/sw rev (1.0/9.1(2)) status (Up Sys)
                  Interface management (192.168.1.1): Link Down (Not-Monitored)
                  Interface RemAccess (172.18.112.2): Normal (Not-Monitored)
                  Interface outside (***.***.***.***): Normal (Not-Monitored)
                  Interface inside (172.18.24.1): Normal (Not-Monitored)
                  Interface inside-voice (172.19.32.1): Normal (Not-Monitored)
                  Interface zieto-jhb-perimeter (***.***.***.***): Normal (Not-Monitored)
                  Interface dcz-jhb-mw (***.***.***.***): Normal (Not-Monitored)
                  Interface zieto-pta-perimeter (***.***.***.***): Normal (Not-Monitored)
                  Interface dcz-pta-mw (***.***.***.***): Normal (Not-Monitored)
                  Interface dcz-pta-dmz1 (***.***.***.***): Normal (Not-Monitored)
                  Interface dr-pta-mw (***.***.***.***): Normal (Not-Monitored)
        Other host: Secondary - Sync Config
                Active time: 0 (sec)
                slot 0: ASA5525 hw/sw rev (1.0/9.1(2)) status (Up Sys)
                  Interface management (0.0.0.0): Unknown (Not-Monitored)
                  Interface RemAccess (172.18.112.3): Unknown (Not-Monitored)
                  Interface outside (0.0.0.0): Unknown (Not-Monitored)
                  Interface inside (0.0.0.0): Unknown (Not-Monitored)
                  Interface inside-voice (0.0.0.0): Unknown (Not-Monitored)
                  Interface zieto-jhb-perimeter (0.0.0.0): Unknown (Not-Monitored)
                  Interface dcz-jhb-mw (0.0.0.0): Unknown (Not-Monitored)
                  Interface zieto-pta-perimeter (0.0.0.0): Unknown (Not-Monitored)
                  Interface dcz-pta-mw (0.0.0.0): Unknown (Not-Monitored)
                  Interface dcz-pta-dmz1 (0.0.0.0): Unknown (Not-Monitored)
                  Interface dr-pta-mw (0.0.0.0): Unknown (Not-Monitored)

Stateful Failover Logical Update Statistics
        Link : Unconfigured.

Tushar Bangia Wed, 03/04/2015 - 21:39

All the interface shows "Normal (Waiting)", however it should show as "Normal(Monitored)". Please check the switch and cables connecting primary and standby PIX.

 

You can also try to disable monitoring for the "interface" for failover and than test if the failover is stable and if you are able to copy the configs.

 

Regards,

 

Tushar Bangia

 

Note: Please do rate post if you find it helpful!!

Actions

This Discussion