Failover

Unanswered Question
Jun 3rd, 2010
User Badges:

Hello Friends,



Please find the attached output for show failover:


Configuring failover on PIX with IOS 7.2.2  with Active Active license on simulator


int e3

no shut


failover
failover lan unit primary
failover link failover Ethernet3
failover interface ip failover 192.168.2.6 255.255.255.0 standby 192.168.2.7.


After this i booted the secondary firewwall and applied a write standby command on active unit but no output,In stateful failover we dont need to specify on the standby unit but still i executed the  below command.


int e3

no shut


failover
failover lan unit secondary
failover link failover Ethernet3
failover interface ip failover 192.168.2.6 255.255.255.0 standby 192.168.2.7


From the output i think the cable connection between the 2 firewall.It is simulator so there is no point for straight and cross but the interfaces are up and protocol is also up.????? Correct me if i m wrong.


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
John Blakley Thu, 06/03/2010 - 08:38
User Badges:
  • Purple, 4500 points or more

In your config, it doesn't see the secondary firewall. Can you ping the secondary inside interface from the primary? Is the inside address of your secondary 192.168.1.7?


HTH,

John

lambay2000 Thu, 06/03/2010 - 09:24
User Badges:

Hello,


yes the inside interface of secondary is 192.168.1.7. Iti is pingable


Is it i m missing anything in my configs, My above steps for stateful failover are correct.


Thanks

John Blakley Thu, 06/03/2010 - 11:05
User Badges:
  • Purple, 4500 points or more

Can you post the interface configurations from both firewalls and the failover information?


John

lambay2000 Thu, 06/03/2010 - 11:54
User Badges:

Dear,


Attached are the configs for Secondary PIX.


My topology is, L3 switch connecting 2 firewall inside interface.and a dedicated interface for failover on the firewall.and also DMZ interface connecting to router.


In my previous configs i have choosen ethernet 3 as a failover interface but now i have changed to ehternet 4.on both the PIX.

Attachment: 
John Blakley Thu, 06/03/2010 - 12:01
User Badges:
  • Purple, 4500 points or more

Okay, I see the problem. You have a STATE interface configured, but not the LAN side. Try this:


failover lan interface LAN eth4
failover interface ip LAN 192.168.2.6 255.255.255.0 standby 192.168.2.7



I believe you can use the same interface for LAN and STATE. Your state interface is used to roll over the xlate tables. You don't *need* a state interface, but all connections would need to be manually reconnected again.


*EDIT*: You'll need to do this on both firewalls


Try that and let me know.


John

lambay2000 Thu, 06/03/2010 - 12:39
User Badges:

Dear John,


It's the same situation,


I m getting logs on console " NO response from Mate"


Thanks

John Blakley Thu, 06/03/2010 - 12:44
User Badges:
  • Purple, 4500 points or more

On the LAN and State interfaces, can you ping each other?


From the primary, try to ping the secondary:


ping 192.168.2.7


From the secondary, try to ping the primary:


ping 192.168.2.6


You may want to remove the STATE interface until you get the LAN side working too.


John

lambay2000 Thu, 06/03/2010 - 12:58
User Badges:

Dear John,


I have cleared failover configs by  the command "clear configure failover "


I m able to ping 192.168.1.6 and 192.168.1.7 which are the inside interface IP address but i m not able to ping failover ip address 192.168.2.6.and 192.168.2.7.


The state interface configuration has been cleared from the interface configuration.

John Blakley Thu, 06/03/2010 - 13:03
User Badges:
  • Purple, 4500 points or more

It looks fine. What simulator are you using? Can you do a "sh int ip brief" and post those results?

lambay2000 Thu, 06/03/2010 - 13:11
User Badges:

Dear,


I m using GNS3


PIX-1(config)#   sh int ip brief
Interface                  IP-Address      OK? Method Status                Prot
ocol
Ethernet0                  172.16.1.1      YES CONFIG up                    up
Ethernet1                  192.168.1.6     YES CONFIG up                    up
Ethernet2                  10.146.254.2    YES CONFIG up                    up
Ethernet3                  unassigned      YES unset  up                    up
Ethernet4                  192.168.2.6     YES unset  up                    up


#####################################################################


PIX2(config)# sh int ip brief
Interface                  IP-Address      OK? Method Status                Prot
ocol
Ethernet0                  unassigned      YES unset  up                    up
Ethernet1                  192.168.1.7     YES manual up                    up
Ethernet2                  unassigned      YES unset  up                    up
Ethernet3                  unassigned      YES unset  up                    up
Ethernet4                  192.168.2.6     YES unset  up                    up

John Blakley Thu, 06/03/2010 - 13:20
User Badges:
  • Purple, 4500 points or more

The only thing that I can figure is that GNS is having a problem. Your configs are correct, but the problem is that the secondary thinks it's the primary because of the LAN address of 192.168.2.6. (It's the same as the real primary).


Here's a real configuration from my ASAs:


Primary:

failover
failover lan unit primary
failover lan interface LAN GigabitEthernet1/2
failover link STATE GigabitEthernet1/1
failover interface ip LAN 10.14.14.1 255.255.255.252 standby 10.14.14.2
failover interface ip STATE 10.15.15.1 255.255.255.252 standby 10.15.15.2


sh int ip brie


GigabitEthernet1/1         10.15.15.1      YES unset  up                    up
GigabitEthernet1/2         10.14.14.1      YES unset  up                    up




Secondary:

failover
failover lan unit secondary
failover lan interface LAN GigabitEthernet1/2
failover link STATE GigabitEthernet1/1
failover interface ip LAN 10.14.14.1 255.255.255.252 standby 10.14.14.2
failover interface ip STATE 10.15.15.1 255.255.255.252 standby 10.15.15.2


sh int ip brie


GigabitEthernet1/1         10.15.15.2      YES unset  up                    up
GigabitEthernet1/2         10.14.14.2      YES unset  up                    up


When the unit is in standby mode, then it will be using the standby address of .7, not the .6 that it is using. Otherwise, your configs look right. Oh, and just to double check, make sure that the interfaces aren't shut that are being used for failover. That happened to me one day in GNS where it showed it apply the configuration, but the interface was shut. (It doesn't show in your config, but just to check.)


John

lambay2000 Thu, 06/03/2010 - 13:33
User Badges:

Dear John,


In my sh ip int brief output my protocols are up,


The configs u advice me to do by removing state and apply to LAN , we have configured LAN based failover by changing command to LAN. I m pretty sure ??



U have used 2 seperate interface for LAN and stateful failover can i use 1 interface for stateful and LAN.?????


failover lan interface LAN GigabitEthernet1/2  ------------------------>this is LAN based failover  ????
failover link STATE GigabitEthernet1/1 -----------------------------> this is stateful failover???


Thanks

Actions

This Discussion