pix 525 failover

Unanswered Question
Jul 21st, 2009
User Badges:

Customer with issue on failover all of a sudden. Still using the primary and secondary serial cable. When secondary comes up it assumes primary even though primary is up. Once up, the secondary does not pass any traffic and nothing works. Down the secondary and all is well. Where to start?

thx again all

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Kevin Redmon Sun, 07/26/2009 - 18:53
User Badges:
  • Cisco Employee,

The key item to remember when speaking of failover on PIX is the Logical description (Primary/Secondary) and the Functional Description (Active/Standby). Above, since you are seemingly using Serial-based failover, I'm assuming that you are stating that the Secondary PIX is taking on the Functional role of Active.

Some of the steps that I would take to isolate the issue is:

1.) 'show failover' on both Primary and Secondary PIX. There may be a particular interface that is shown as 'Failed'.

2.) Enable 'logging buffered debugging'. At the time of the failover situation, issue the command 'show log | inc PIX-1'. All failover messages on the PIX (and ASA) are Level-1 messages.

3.) If the command is supported, and if the firewalls have not been rebooted since the failover, gather the output of 'show failover history'.

4.) From each of the firewalls, for each interface, ping the peer's interface. Assuming ping is permitted on the interface, all pings should be successful.

If the Secondary is active, confirm upstream/downstream routes and monitor the syslogs (at the 'debugging' level).

The output of these commands/tests will likely lead you to the cause of the failover issues.


This Discussion