Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Pix 535 Failover

Answered Question
Jan 11th, 2010
User Badges:

Hey guys,

can i get a little help.  i'm attempting to setup stateful failover between 2 pix 535 with UR license on both.  the config guide says

"In multiple context mode, the Stateful Failover link resides in the system context"

I am running multiple context, with only the admin and system context (both default).  However, when in system context, I cannot configure an IP on interface G0 (the one I want to use for the stateful failover interface.)

I'm not real sure what I need to do...when i do a sho run, G0 is clearly in the system context, though i have limited configurable options...AND it is in the admin context as well (I can do ALL configurations).

Can somebody get me pointed in the right direction here...

A second point is the use of "Failover vs Stateful Failover"   do you have to have both interfaces?



Correct Answer by Panos Kampanakis about 7 years 7 months ago

Don't forget the most important command, "failover" to enable failover.

If they still can't see each other verify connectivity and vlan-ning between them.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Panos Kampanakis Mon, 01/11/2010 - 17:35
User Badges:
  • Cisco Employee,

Failover is configured in the system context, so you are right on that.

Though the failover ip addresses are not configured under the interface but using the failover commands.

For example

failover link state Ethernet2
failover interface ip state standby

I hope it helps.


Bruce Summers Mon, 01/11/2010 - 17:57
User Badges:

yes, it does...

i guess i just didnt quite understand the guide...it outlines

"If you have not done so already, configure the active and standby IP addresses for each data interface (routed mode)"

I took that quite literally as configure the interface...

so, as i look further down the config guide, it refers to the commands you have provided...So, an additional question is, when i designate, for example, G0 as the "stateful failover" interface, does that place it in the system context?

the guide also says the stateful failover interface will be in the system context...

Panos Kampanakis Tue, 01/12/2010 - 06:20
User Badges:
  • Cisco Employee,

Well, all interface s exist in the system, but they are not configured in the system, they are only allocated to the contexts.

When using the failover commands the failover interfaces can be considered as configured in the system. Meaning in your case, G) you can see it as belonging and configured in the system. It is not exactly configured with the traditional sense, but it uses the failover ip commands to configured it.

Of course that context should not be pushed to a context at the same time and this will not be allowed.

I hope it helps.


Bruce Summers Tue, 01/12/2010 - 07:06
User Badges:

again, thank you...

I have configured the stateful failover interfaces on g0 on both Pix's, stepped thru the following commands on both:

failover lan enable

failover lan unit primary (on secondary, designated as secondary)

failover lan interface  (inteface name/phys int)

failover interface ip (int_name/ip/sn of primary) standby (ip of standby)

no shutdown

However, both pix's believe themselves to be the active (cant see each other across the G0 interfaces apparently)

any thoughts on that?


Correct Answer
Panos Kampanakis Tue, 01/12/2010 - 07:20
User Badges:
  • Cisco Employee,

Don't forget the most important command, "failover" to enable failover.

If they still can't see each other verify connectivity and vlan-ning between them.


Bruce Summers Tue, 01/12/2010 - 07:23
User Badges:

yes, yes...

i ran the failover command also...I have the 2 pix's connected with fiber between the 2 G0 interfaces (crossed over)...

I reran the commands, and i looks like they are talking, but one of them doenst have the VPN-3DES-AES license enabled....

gotta go through that now...

thanks for the help...


Bruce Summers Tue, 01/12/2010 - 08:22
User Badges:


got the license problem corrected, they now failover...Except, now, when it fails over to secondary, when the primary comes back online, it doesnt shift back to primary active...

Bruce Summers Tue, 01/12/2010 - 11:48
User Badges:


One more question for you...please...

when reloading the pix, i'm getting errors in the admin.ctx about crypto ipsec security-association lifetime in seconds and kilobytes.

I have removed the VPN card in these pix's as i do not need that service.

I deleted the admin context, recreated it and the crypto ipsec entries return (i specific a new config-url file)...each time the firewall bounces, it returns these errors...

I'm not clear on how to remove the entries, as none of the "no" crypto commands appear to be what i need (version 8.0(4)).

thanks in advance.



This Discussion