Pix 535 Failover

Answered Question
Jan 11th, 2010

Hey guys,

can i get a little help.  i'm attempting to setup stateful failover between 2 pix 535 with UR license on both.  the config guide says

"In multiple context mode, the Stateful Failover link resides in the system context"

I am running multiple context, with only the admin and system context (both default).  However, when in system context, I cannot configure an IP on interface G0 (the one I want to use for the stateful failover interface.)

I'm not real sure what I need to do...when i do a sho run, G0 is clearly in the system context, though i have limited configurable options...AND it is in the admin context as well (I can do ALL configurations).

Can somebody get me pointed in the right direction here...

A second point is the use of "Failover vs Stateful Failover"   do you have to have both interfaces?

thanks

Bruce

I have this problem too.
0 votes
Correct Answer by Panos Kampanakis about 6 years 10 months ago

Don't forget the most important command, "failover" to enable failover.

If they still can't see each other verify connectivity and vlan-ning between them.

PK

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Panos Kampanakis Mon, 01/11/2010 - 17:35

Failover is configured in the system context, so you are right on that.

Though the failover ip addresses are not configured under the interface but using the failover commands.

For example

failover
failover link state Ethernet2
failover interface ip state 10.0.0.1 255.0.0.0 standby 10.0.0.2

I hope it helps.

PK

Bruce Summers Mon, 01/11/2010 - 17:57

yes, it does...

i guess i just didnt quite understand the guide...it outlines

"If you have not done so already, configure the active and standby IP addresses for each data interface (routed mode)"

I took that quite literally as configure the interface...

so, as i look further down the config guide, it refers to the commands you have provided...So, an additional question is, when i designate, for example, G0 as the "stateful failover" interface, does that place it in the system context?

the guide also says the stateful failover interface will be in the system context...

Panos Kampanakis Tue, 01/12/2010 - 06:20

Well, all interface s exist in the system, but they are not configured in the system, they are only allocated to the contexts.

When using the failover commands the failover interfaces can be considered as configured in the system. Meaning in your case, G) you can see it as belonging and configured in the system. It is not exactly configured with the traditional sense, but it uses the failover ip commands to configured it.

Of course that context should not be pushed to a context at the same time and this will not be allowed.

I hope it helps.

PK

Bruce Summers Tue, 01/12/2010 - 07:06

again, thank you...

I have configured the stateful failover interfaces on g0 on both Pix's, stepped thru the following commands on both:

failover lan enable

failover lan unit primary (on secondary, designated as secondary)

failover lan interface  (inteface name/phys int)

failover interface ip (int_name/ip/sn of primary) standby (ip of standby)

no shutdown

However, both pix's believe themselves to be the active (cant see each other across the G0 interfaces apparently)

any thoughts on that?

Bruce

Correct Answer
Panos Kampanakis Tue, 01/12/2010 - 07:20

Don't forget the most important command, "failover" to enable failover.

If they still can't see each other verify connectivity and vlan-ning between them.

PK

Bruce Summers Tue, 01/12/2010 - 07:23

yes, yes...

i ran the failover command also...I have the 2 pix's connected with fiber between the 2 G0 interfaces (crossed over)...

I reran the commands, and i looks like they are talking, but one of them doenst have the VPN-3DES-AES license enabled....

gotta go through that now...

thanks for the help...

Bruce

Bruce Summers Tue, 01/12/2010 - 08:22

alrighty...

got the license problem corrected, they now failover...Except, now, when it fails over to secondary, when the primary comes back online, it doesnt shift back to primary active...

Bruce Summers Tue, 01/12/2010 - 11:48

PK,

One more question for you...please...

when reloading the pix, i'm getting errors in the admin.ctx about crypto ipsec security-association lifetime in seconds and kilobytes.

I have removed the VPN card in these pix's as i do not need that service.

I deleted the admin context, recreated it and the crypto ipsec entries return (i specific a new config-url file)...each time the firewall bounces, it returns these errors...

I'm not clear on how to remove the entries, as none of the "no" crypto commands appear to be what i need (version 8.0(4)).

thanks in advance.

Bruce

Actions

This Discussion