Pix sync connection

Unanswered Question
Oct 19th, 2008


I have a pair of Pix's configured for failover and stateful sync, but i have discovered that the sync is not working, after some investigation it looks like one of the FW's has had its interface assigned to the wrong VLAN.

So the fix is to assign the interface into the correct vlan, I wanted to know if there was any potential serivce impact when this happens, ie when the sync gets connected and starts working ?

Appreciate any thoughts


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Fernando_Meza Sun, 10/19/2008 - 19:07


I suggets you posting the output of 'show failover'to be sure .. however by the sound of it, you should not have any major issues. At the moment the current Active firewall must be forwarding packets and also monitoring the status of the standby firewall's interfaces. Once the status is normal, the failover relation will be completed and the configuration will be 'pushed' from Active to Standby. It is unlikely that traffic flow will be affected.

Please rate helpful posts !!!

stuart.jones Mon, 10/20/2008 - 11:24


Attached is the output of the 'show failover' from both firewalls.

Also was concerned if the IP address configured on the 'spare' interface on one of the units will cuase any issues even though the interface is shutdown ?

Farrukh Haroon Mon, 10/20/2008 - 19:10

Whichever interfaces you are not using you can disable failover monitoring for it using:

no monitor-interface command.

Also it seems there is a communication problem on the stateful failover link. Can you ping both ends (active/stanby IPs)?



stuart.jones Tue, 10/21/2008 - 10:28


It is the stateful link that is th elink which has been assigned to different vlans either end, and is the one i was intending to change to the correct vlan and was wondering if this would cause me the issues.

As for the ping, no i cannot ping either stateful interface from either FW.

Thanks again

Farrukh Haroon Tue, 10/21/2008 - 23:32

No this will hopefully cause no issues. Once you set both to the same VLAN the ping should work.



Farrukh Haroon Sun, 10/19/2008 - 23:04

Just make sure you take a backup of the configuration. Sometimes both units think they are active and it can erase the configuration on the desired primary unit. An easy way to make sure this does not happen is to 'ping' the other units failover interface before enabling 'failover' on both sides. And also making sure you have the correct boxes assigned as primary/secondary.




This Discussion