Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
727
Views
0
Helpful
6
Replies

Pix sync connection

stuart.jones
Level 1
Level 1

‎10-19-2008 03:11 PM - edited ‎03-11-2019 06:59 AM

Hi,

I have a pair of Pix's configured for failover and stateful sync, but i have discovered that the sync is not working, after some investigation it looks like one of the FW's has had its interface assigned to the wrong VLAN.

So the fix is to assign the interface into the correct vlan, I wanted to know if there was any potential serivce impact when this happens, ie when the sync gets connected and starts working ?

Appreciate any thoughts

Thanks

Labels:
0 Helpful
6 Replies 6

Fernando_Meza
Level 7
Level 7

‎10-19-2008 07:07 PM

Hi,

I suggets you posting the output of 'show failover'to be sure .. however by the sound of it, you should not have any major issues. At the moment the current Active firewall must be forwarding packets and also monitoring the status of the standby firewall's interfaces. Once the status is normal, the failover relation will be completed and the configuration will be 'pushed' from Active to Standby. It is unlikely that traffic flow will be affected.

Please rate helpful posts !!!

0 Helpful

stuart.jones
Level 1
Level 1
In response to Fernando_Meza

‎10-20-2008 11:24 AM

Hi,

Attached is the output of the 'show failover' from both firewalls.

Also was concerned if the IP address configured on the 'spare' interface on one of the units will cuase any issues even though the interface is shutdown ?

Preview file
4 KB
0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to stuart.jones

‎10-20-2008 07:10 PM

Whichever interfaces you are not using you can disable failover monitoring for it using:

no monitor-interface command.

Also it seems there is a communication problem on the stateful failover link. Can you ping both ends (active/stanby IPs)?

Regards

Farrukh

0 Helpful

stuart.jones
Level 1
Level 1
In response to Farrukh Haroon

‎10-21-2008 10:28 AM

Thanks.

It is the stateful link that is th elink which has been assigned to different vlans either end, and is the one i was intending to change to the correct vlan and was wondering if this would cause me the issues.

As for the ping, no i cannot ping either stateful interface from either FW.

Thanks again

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to stuart.jones

‎10-21-2008 11:32 PM

No this will hopefully cause no issues. Once you set both to the same VLAN the ping should work.

Regards

Farrukh

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni

‎10-19-2008 11:04 PM

Just make sure you take a backup of the configuration. Sometimes both units think they are active and it can erase the configuration on the desired primary unit. An easy way to make sure this does not happen is to 'ping' the other units failover interface before enabling 'failover' on both sides. And also making sure you have the correct boxes assigned as primary/secondary.

Regards

Farrukh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card