pix 525 failover

whanson · ‎07-21-2009

Customer with issue on failover all of a sudden. Still using the primary and secondary serial cable. When secondary comes up it assumes primary even though primary is up. Once up, the secondary does not pass any traffic and nothing works. Down the secondary and all is well. Where to start?

thx again all

andrew.prince · ‎07-22-2009

Make sure you have the serial cable connected correctly - the ends of the cable are labled "Primary" and "Secondary" - make sure the correct ends attach to the correct device.

HTH>

Kevin Redmon · ‎07-26-2009

The key item to remember when speaking of failover on PIX is the Logical description (Primary/Secondary) and the Functional Description (Active/Standby). Above, since you are seemingly using Serial-based failover, I'm assuming that you are stating that the Secondary PIX is taking on the Functional role of Active.

Some of the steps that I would take to isolate the issue is:

1.) 'show failover' on both Primary and Secondary PIX. There may be a particular interface that is shown as 'Failed'.

2.) Enable 'logging buffered debugging'. At the time of the failover situation, issue the command 'show log | inc PIX-1'. All failover messages on the PIX (and ASA) are Level-1 messages.

3.) If the command is supported, and if the firewalls have not been rebooted since the failover, gather the output of 'show failover history'.

4.) From each of the firewalls, for each interface, ping the peer's interface. Assuming ping is permitted on the interface, all pings should be successful.

If the Secondary is active, confirm upstream/downstream routes and monitor the syslogs (at the 'debugging' level).

The output of these commands/tests will likely lead you to the cause of the failover issues.