Pix sync connection

Unanswered Question
Oct 19th, 2008
User Badges:

Hi,


I have a pair of Pix's configured for failover and stateful sync, but i have discovered that the sync is not working, after some investigation it looks like one of the FW's has had its interface assigned to the wrong VLAN.


So the fix is to assign the interface into the correct vlan, I wanted to know if there was any potential serivce impact when this happens, ie when the sync gets connected and starts working ?


Appreciate any thoughts


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Fernando_Meza Sun, 10/19/2008 - 19:07
User Badges:
  • Gold, 750 points or more

Hi,


I suggets you posting the output of 'show failover'to be sure .. however by the sound of it, you should not have any major issues. At the moment the current Active firewall must be forwarding packets and also monitoring the status of the standby firewall's interfaces. Once the status is normal, the failover relation will be completed and the configuration will be 'pushed' from Active to Standby. It is unlikely that traffic flow will be affected.


Please rate helpful posts !!!



stuart.jones Mon, 10/20/2008 - 11:24
User Badges:

Hi,


Attached is the output of the 'show failover' from both firewalls.


Also was concerned if the IP address configured on the 'spare' interface on one of the units will cuase any issues even though the interface is shutdown ?





Attachment: 
Farrukh Haroon Mon, 10/20/2008 - 19:10
User Badges:
  • Red, 2250 points or more

Whichever interfaces you are not using you can disable failover monitoring for it using:


no monitor-interface command.


Also it seems there is a communication problem on the stateful failover link. Can you ping both ends (active/stanby IPs)?


Regards


Farrukh

stuart.jones Tue, 10/21/2008 - 10:28
User Badges:

Thanks.


It is the stateful link that is th elink which has been assigned to different vlans either end, and is the one i was intending to change to the correct vlan and was wondering if this would cause me the issues.


As for the ping, no i cannot ping either stateful interface from either FW.


Thanks again

Farrukh Haroon Tue, 10/21/2008 - 23:32
User Badges:
  • Red, 2250 points or more

No this will hopefully cause no issues. Once you set both to the same VLAN the ping should work.


Regards


Farrukh

Farrukh Haroon Sun, 10/19/2008 - 23:04
User Badges:
  • Red, 2250 points or more

Just make sure you take a backup of the configuration. Sometimes both units think they are active and it can erase the configuration on the desired primary unit. An easy way to make sure this does not happen is to 'ping' the other units failover interface before enabling 'failover' on both sides. And also making sure you have the correct boxes assigned as primary/secondary.


Regards


Farrukh

Actions

This Discussion