PIX firewall active/standby pair

Unanswered Question
May 12th, 2009
User Badges:

If there is a need to remove the standby PIX from active-standby position,what are the specific steps to be followed?

It seems removing the standby's physical connections will suffice , but it is not certain if this could problems to normal traffic pattern,which is to be avoided.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
suthomas1 Tue, 05/12/2009 - 04:04
User Badges:

yes,it seems fine.But is there any particular steps to followed viz. shut off the failover and other interface on standby first, followed by physical removal.

handsy Tue, 05/12/2009 - 04:29
User Badges:

'no failover' on Active, then switch off Standby et voila!

suthomas1 Tue, 05/12/2009 - 05:40
User Badges:

Thanks.Few more queries:

1.failover status in ASA shows as standby ready for secondary host. Is it correct, shouldnt it be just Standby status?

2.static (inside,dmz) netmask

What is the meaning of this line.Understand that this is used for static translation when external access is required to services hosted inside the network.But then why are the 2 ip's same?


handsy Tue, 05/12/2009 - 05:59
User Badges:

1. I assume you've issued the 'no failover' command? If so, then the standby unit would display a wait state as it can no longer contact the primary.

2. This sort of static 1:1 translation is done to advertise an IP address or IP addresses externally from an inside network. It's the nature of Cisco firewalls. All IP addresses are hidden until you static or NAT them.


This Discussion