cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
831
Views
0
Helpful
8
Replies

Pix 535 Failover

Bruce Summers
Level 1
Level 1

Hey guys,

can i get a little help.  i'm attempting to setup stateful failover between 2 pix 535 with UR license on both.  the config guide says

"In multiple context mode, the Stateful Failover link resides in the system context"

I am running multiple context, with only the admin and system context (both default).  However, when in system context, I cannot configure an IP on interface G0 (the one I want to use for the stateful failover interface.)

I'm not real sure what I need to do...when i do a sho run, G0 is clearly in the system context, though i have limited configurable options...AND it is in the admin context as well (I can do ALL configurations).

Can somebody get me pointed in the right direction here...

A second point is the use of "Failover vs Stateful Failover"   do you have to have both interfaces?

thanks

Bruce

1 Accepted Solution

Accepted Solutions

Don't forget the most important command, "failover" to enable failover.

If they still can't see each other verify connectivity and vlan-ning between them.

PK

View solution in original post

8 Replies 8

Panos Kampanakis
Cisco Employee
Cisco Employee

Failover is configured in the system context, so you are right on that.

Though the failover ip addresses are not configured under the interface but using the failover commands.

For example

failover
failover link state Ethernet2
failover interface ip state 10.0.0.1 255.0.0.0 standby 10.0.0.2

I hope it helps.

PK

yes, it does...

i guess i just didnt quite understand the guide...it outlines

"If you have not done so already, configure the active and standby IP addresses for each data interface (routed mode)"

I took that quite literally as configure the interface...

so, as i look further down the config guide, it refers to the commands you have provided...So, an additional question is, when i designate, for example, G0 as the "stateful failover" interface, does that place it in the system context?

the guide also says the stateful failover interface will be in the system context...

Well, all interface s exist in the system, but they are not configured in the system, they are only allocated to the contexts.

When using the failover commands the failover interfaces can be considered as configured in the system. Meaning in your case, G) you can see it as belonging and configured in the system. It is not exactly configured with the traditional sense, but it uses the failover ip commands to configured it.

Of course that context should not be pushed to a context at the same time and this will not be allowed.

I hope it helps.

PK

again, thank you...

I have configured the stateful failover interfaces on g0 on both Pix's, stepped thru the following commands on both:

failover lan enable

failover lan unit primary (on secondary, designated as secondary)

failover lan interface  (inteface name/phys int)

failover interface ip (int_name/ip/sn of primary) standby (ip of standby)

no shutdown

However, both pix's believe themselves to be the active (cant see each other across the G0 interfaces apparently)

any thoughts on that?

Bruce

Don't forget the most important command, "failover" to enable failover.

If they still can't see each other verify connectivity and vlan-ning between them.

PK

yes, yes...

i ran the failover command also...I have the 2 pix's connected with fiber between the 2 G0 interfaces (crossed over)...

I reran the commands, and i looks like they are talking, but one of them doenst have the VPN-3DES-AES license enabled....

gotta go through that now...

thanks for the help...

Bruce

alrighty...

got the license problem corrected, they now failover...Except, now, when it fails over to secondary, when the primary comes back online, it doesnt shift back to primary active...

PK,

One more question for you...please...

when reloading the pix, i'm getting errors in the admin.ctx about crypto ipsec security-association lifetime in seconds and kilobytes.

I have removed the VPN card in these pix's as i do not need that service.

I deleted the admin context, recreated it and the crypto ipsec entries return (i specific a new config-url file)...each time the firewall bounces, it returns these errors...

I'm not clear on how to remove the entries, as none of the "no" crypto commands appear to be what i need (version 8.0(4)).

thanks in advance.

Bruce

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: