traffic is not passing thru the firewall

Unanswered Question
Jan 5th, 2009
User Badges:

Hi everyone,


I have two pix525's HA mode. I tried migrating the same to another vendor firewall, but due to some reasons I could not make it thru. Now, once i reverted back to the pix setup, i found none of the traffic is passing thru the primary firewall nor unable to ping, but thanks to God, it works with secondary. I do not find any config changes btw'n these f/ws. This was happened a week ago and still running with one f/w. Can any one help me in here...


-John Peter

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sachinraja Mon, 01/05/2009 - 09:46
User Badges:
  • Red, 2250 points or more

hey John


Do you have more details on your network ? How is the routing happening ? Are there any error logs on the PIX ? "show log" ? If the firewalls havent changed their configs, i dont see any reason, it should fail.. and especially if it works on failover..


Is it a normal failover or stateful / LAN failover ? are the configs in both the firewalls consistent ?


Raj

john_peter Mon, 01/05/2009 - 22:35
User Badges:

Hi sachin,

well, its normal failover using failover cable. Does it matter if my pri has failover as active/active.

john_peter Wed, 01/07/2009 - 04:48
User Badges:

Oops, no one replied..

Do you see any issues with failover license in primary ?




sh ver

Cisco PIX Security Appliance Software Version 7.2(3)


Device Manager Version 5.2(4)



Compiled on Sun 26-May-08 13:39 by builders


System image file is "flash:/pix723.bin"


Config file at boot was "startup-config"



PIXFW up 12 mins 43 secs


failover cluster up 40 mins 23 secs



Hardware: PIX-525, 256 MB RAM, CPU Pentium III 600 MHz


Flash E28F128J3 @ 0xfff00000, 16MB


BIOS Flash AM29F400B @ 0xfffd8000, 32KB



Encryption hardware device : VAC+ (Crypto5823 revision 0x1)

0: Ext: Ethernet0 : address is 001a.2f8c.ca16, irq 10


1: Ext: Ethernet1 : address is 001a.2f8c.ca17, irq 11


2: Ext: GigabitEthernet0 : address is 000e.0cbf.d619, irq 10


3: Ext: GigabitEthernet1 : address is 000e.0cbf.d519, irq 5



Licensed features for this platform:


Maximum Physical Interfaces : 10


Maximum VLANs : 100


Inside Hosts : Unlimited


Failover : Active/Active


VPN-DES : Enabled


VPN-3DES-AES : Enabled


Cut-through Proxy : Enabled


Guards : Enabled


URL Filtering : Enabled

Security Contexts : 2


GTP/GPRS : Disabled


VPN Peers : Unlimited



This platform has an Unrestricted (UR) license.



Serial Number: xxxxxxx


Running Activation Key: xxxxxxxxxx



-John

sachinraja Mon, 01/12/2009 - 17:33
User Badges:
  • Red, 2250 points or more

hello john


was there any interface of the primary which was down ? in that case, the primary firewall might never become active.. what was the issue ? did u make the primary firewall, active, in a standalone mode ? was it working ?


Raj

Actions

This Discussion