cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1808
Views
10
Helpful
15
Replies

Cisco PIX 525 Help

dclaro
Level 1
Level 1

I am trying to figure out how failover works I guess. When the Primary PIX fails over to the secondary PIX does the standby take the IP's and names of the primary unit when it fails over or does it use it's own IP's for the inside/outside interfaces when it fails over?

The secondary host shouldn't say this when on standby right?

Other host: Secondary - Failed

The primary always says "Waiting":

This host: Primary - Active
                Active time: 31443135 (sec)
                Interface outside (x.x.x.x): Normal (Waiting)
                Interface inside (x.x.x.x): Normal (Waiting)

Does that mean waiting to replicate?

15 Replies 15

Yes, when a PIX or ASA firewall standby unit becomes active, it inherits all the IP's of the primary unit.

The standby IP's are always exactly that: standby. When you do a manual failover (with both units available), the IP's basically swap between devices.

The secondary host shouldn't say Failed indeed. This can be caused by monitoring an interface which hasn't been properly configured with a standby address, or obviously some failure of the hardware or power. Can you post the complete output of a show failover command?

Normally, a standby unit should be reported as:

Other host: Secondary - Standby Ready

The primary unit is at this moment indeed waiting to replicate the settings to the standby unit. When it has done this, all the interfaces should report

Interface (x.x.x.x): Normal

Failover On

Cable status: N/A - LAN-based failover enabled

Failover unit Primary

Failover LAN Interface: failover Ethernet0 (up)

Unit Poll frequency 15 seconds, holdtime 45 seconds

Interface Poll frequency 15 seconds

Interface Policy 1

Monitored Interfaces 2 of 250 maximum

failover replication http

Version: Ours 7.0(5), Mate 7.0(5)

Last Failover at: 12:01:01 UTC Jan 14 2009

        This host: Primary - Active

                Active time: 31512165 (sec)

                Interface outside (x.x.x.x): Normal (Waiting)

                Interface inside (x.x.x.x): Normal (Waiting)

        Other host: Secondary - Failed

                Active time: 0 (sec)

                Interface outside (x.x.x.x): Normal

                Interface inside (x.x.x.x): Normal

Stateful Failover Logical Update Statistics

        Link : failover Ethernet0 (up)

        Stateful Obj    xmit       xerr       rcv        rerr

        General         555745821  0          2684278    0

        sys cmd         2684285    0          2684278    0

        up time         0          0          0          0

        RPC services    0          0          0          0

        TCP conn        354720708  0          0          0

        UDP conn        198332191  0          0          0

        ARP tbl         8637       0          0          0

        Xlate_Timeout   0          0          0          0

        VPN IKE upd     0          0          0          0

        VPN IPSEC upd   0          0          0          0

        VPN CTCP upd    0          0          0          0

        VPN SDI upd     0          0          0          0

        VPN DHCP upd    0          0          0          0

        Logical Update Queue Information

                        Cur     Max     Total

        Recv Q:         0       2       2684278

        Xmit Q:         0       2       576385069

The output looks fairly normal, except for the

Other host: Secondary - Failed part.

Are the IP addresses reported by the other host identical to the ones configured in the failover configuration?

If so, can you connect to the secondary (backup) unit using the failover IP addresses reported by that unit?

They are different, if I am looking in the right place.

Failover On
Cable status: N/A - LAN-based failover enabled
Failover unit Primary
Failover LAN Interface: failover Ethernet0 (up)
Unit Poll frequency 15 seconds, holdtime 45 seconds
Interface Poll frequency 15 seconds
Interface Policy 1
Monitored Interfaces 2 of 250 maximum
failover replication http
Version: Ours 7.0(5), Mate 7.0(5)
Last Failover at: 12:01:01 UTC Jan 14 2009
        This host: Primary - Active
                Active time: 31515525 (sec)
                Interface outside (x.x.x.x): Normal (Waiting)
                Interface inside (x.x.x.x): Normal (Waiting)
        Other host: Secondary - Failed
                Active time: 0 (sec)
                Interface outside (x.x.x.x): Normal
                Interface inside (x.x.x.x): Normal

Stateful Failover Logical Update Statistics
        Link : failover Ethernet0 (up)
        Stateful Obj    xmit       xerr       rcv        rerr
        General         555745821  0          2684278    0
        sys cmd         2684285    0          2684278    0
        up time         0          0          0          0
        RPC services    0          0          0          0
        TCP conn        354720708  0          0          0
        UDP conn        198332191  0          0          0
        ARP tbl         8637       0          0          0
        Xlate_Timeout   0          0          0          0
        VPN IKE upd     0          0          0          0
        VPN IPSEC upd   0          0          0          0
        VPN CTCP upd    0          0          0          0
        VPN SDI upd     0          0          0          0
        VPN DHCP upd    0          0          0          0

        Logical Update Queue Information
                        Cur     Max     Total
        Recv Q:         0       2       2684278
        Xmit Q:         0       2       576385069

Also is it possible to manage the secondary device while it is in standby. Because I can not telnet to this device, only the primary.

Ganesh Hariharan
VIP Alumni
VIP Alumni

Hi Daniel,

Yes secondary devices takes the ip address of the primary devices at the time of failover and When the active device fails, it changes to the standby state, while the standby unit changes to the active state.The unit that becomes active takes over the active unit IP addresses and MAC address, and it begins passing traffic. The Pix has one MAC address for all interfaces. The unit that was active and is now in standby state takes over the standby IP addresses and MAC address.


Because network devices see no change in the MAC to IP address pairing, failover is unnoticed by the rest of the network.

Show standby is the command to check the status of the device.

Hope that helps out your query !!

Regards

Ganesh.H

I was not entirely clear, I'm sorry.

Those two addresses should be different. You have 2 sets of IP's

A primary and secondary outside (254.1 and 254.5 respectively)

A primary and secondary inside (253.2 and 253.5 respectively)

I was wondering if those are also mentioned in your running configuration as:

interface Ethernetx

description outside

ip address x.x.254.1 stanby x.x.254.5

and

interface Ethernetx

description inside

ip address x.x.253.2 stanby x.x.253.5

I would assume they are.
Is the standby PIX525 reachable using the x.x.253.5 address?

Yes, the running configuration is configured as mentioned. But I can not reach either of the standby addresses with telnet or a ping.

yjdabear
VIP Alumni
VIP Alumni

"show failover lan detail", since you're using LAN-based failover.

What devices are between the primary and secondary PIXes, if any?

Is the secondary unit reachable from anywhere else on the network, or not at all?

That is not a valid command. Here are my options:

show failover ?

  history     Show failover switching history
  interface   Show failover command interface information
  state       Show failover internal state information
  statistics  Show failover command interface statistics information

It is supposed to be reachable. I may have to go console in or something.

Yes, that might be the only solution. Make sure the configuration matches the one from the primary PIX.

How can I tell which physical pix of the 2 I am remoted into? It doesn't show the serial when I do "Show Version".

Here is some more info:


sh failover state
====My State===
Primary | Active |
====Other State===
Secondary | Standby |
====Configuration State===
        Sync Done
====Communication State===
=========Failed Reason==============
My Fail Reason:
Other Fail Reason:
        Comm Failure

For some reason the sync is done as indicated, but then why the communication failure. According to my coworker you could never connect to the standby PIX except for console. So that goes back to the point of SNMP management. How would that be possible? Configuring a management port(then I don't think the SNMP "Inside/Outside" commands would work)?

Another command to display the serial number on PIX 7.1.x is "show activation-key", but then "show ver" works for me too.

All the PIX/ASA stateful failover pairs I've seen have managable/reachable secondaries. Although the PIXes are using serial-based failover, I doubt LAN-based failover would be any different.

This is my version:


Cisco PIX Security Appliance Software Version 7.0(5)

I guess I was looking for the serial number that matches the physical sticker on the device. Show version does show a different serial.

Just sucks I can't connect to the standby.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco