traffic is not passing thru the firewall

Unanswered Question
Jan 5th, 2009
User Badges:

Hi everyone,

I have two pix525's HA mode. I tried migrating the same to another vendor firewall, but due to some reasons I could not make it thru. Now, once i reverted back to the pix setup, i found none of the traffic is passing thru the primary firewall nor unable to ping, but thanks to God, it works with secondary. I do not find any config changes btw'n these f/ws. This was happened a week ago and still running with one f/w. Can any one help me in here...

-John Peter

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
sachinraja Mon, 01/05/2009 - 09:46
User Badges:
  • Red, 2250 points or more

hey John

Do you have more details on your network ? How is the routing happening ? Are there any error logs on the PIX ? "show log" ? If the firewalls havent changed their configs, i dont see any reason, it should fail.. and especially if it works on failover..

Is it a normal failover or stateful / LAN failover ? are the configs in both the firewalls consistent ?


john_peter Mon, 01/05/2009 - 22:35
User Badges:

Hi sachin,

well, its normal failover using failover cable. Does it matter if my pri has failover as active/active.

john_peter Wed, 01/07/2009 - 04:48
User Badges:

Oops, no one replied..

Do you see any issues with failover license in primary ?

sh ver

Cisco PIX Security Appliance Software Version 7.2(3)

Device Manager Version 5.2(4)

Compiled on Sun 26-May-08 13:39 by builders

System image file is "flash:/pix723.bin"

Config file at boot was "startup-config"

PIXFW up 12 mins 43 secs

failover cluster up 40 mins 23 secs

Hardware: PIX-525, 256 MB RAM, CPU Pentium III 600 MHz

Flash E28F128J3 @ 0xfff00000, 16MB

BIOS Flash AM29F400B @ 0xfffd8000, 32KB

Encryption hardware device : VAC+ (Crypto5823 revision 0x1)

0: Ext: Ethernet0 : address is 001a.2f8c.ca16, irq 10

1: Ext: Ethernet1 : address is 001a.2f8c.ca17, irq 11

2: Ext: GigabitEthernet0 : address is 000e.0cbf.d619, irq 10

3: Ext: GigabitEthernet1 : address is 000e.0cbf.d519, irq 5

Licensed features for this platform:

Maximum Physical Interfaces : 10

Maximum VLANs : 100

Inside Hosts : Unlimited

Failover : Active/Active

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Cut-through Proxy : Enabled

Guards : Enabled

URL Filtering : Enabled

Security Contexts : 2

GTP/GPRS : Disabled

VPN Peers : Unlimited

This platform has an Unrestricted (UR) license.

Serial Number: xxxxxxx

Running Activation Key: xxxxxxxxxx


sachinraja Mon, 01/12/2009 - 17:33
User Badges:
  • Red, 2250 points or more

hello john

was there any interface of the primary which was down ? in that case, the primary firewall might never become active.. what was the issue ? did u make the primary firewall, active, in a standalone mode ? was it working ?



This Discussion