Pix Firewall 515e

Answered Question

Hello,


I have a client with PIX 515e that is licensed as Failover Only Active/Standby. The main firewall is completely dead. I can get things up and running again by failover active command but after a reboot or after a period of time it goes back to standby. Can this unit remain the main active unit?


Cheers and thanks.


Miguel

Correct Answer by bknoblau about 6 years 10 months ago

Miguel,


As per cisco documentation:


1.) The PIX Firewall failover-only  unit is intended to be used solely for failover and not in standalone  mode. If a failover unit is used in standalone mode, the unit will  reboot at least once every 24 hours until the unit is returned to  failover duty. When the unit reboots, the following message displays at  the console.

=========================NOTICE ==========================

       This machine is running in secondary mode without

       a connection to an active primary PIX. Please

        check your connection to the primary system.

               REBOOTING....

==========================================================

2.) If  a failover-only PIX Firewall is not attached to a failover connection  or is attached to the primary end of a Failover cable, then it will hang  at boot time. It should be a secondary unit.


Hope this helps,


BK

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (5 ratings)
Loading.

p.s. let me clarify, what I mean by a period of time is not correct. So long as power as power and ethernet activity is good the unit remains active. We have bad storms here for the last few days and when the power goes out and UPS drains, the unit power down. The next AM, I have to set up the unit active again. Will this behavior continue until we replace the primary unit or can this unit be permanently set up as the active unit in a single unit environment?

Correct Answer
bknoblau Tue, 09/07/2010 - 11:19
User Badges:

Miguel,


As per cisco documentation:


1.) The PIX Firewall failover-only  unit is intended to be used solely for failover and not in standalone  mode. If a failover unit is used in standalone mode, the unit will  reboot at least once every 24 hours until the unit is returned to  failover duty. When the unit reboots, the following message displays at  the console.

=========================NOTICE ==========================

       This machine is running in secondary mode without

       a connection to an active primary PIX. Please

        check your connection to the primary system.

               REBOOTING....

==========================================================

2.) If  a failover-only PIX Firewall is not attached to a failover connection  or is attached to the primary end of a Failover cable, then it will hang  at boot time. It should be a secondary unit.


Hope this helps,


BK

golly_wog Tue, 09/07/2010 - 15:23
User Badges:

enter the failover command and then save the config.


I did all my CCSP studies on one of these and it never went into standby.

golly_wog Tue, 09/07/2010 - 15:53
User Badges:

Mate


Sorry to be a pain, but I am sure that this is possible - I had this running, that protected a wesite i did for my mate, I had it rebooting at midnight and would come back up cleanly.


Is there any chance you can post your config please - specifically the failover part. I'm wondering if you have it set as standby, whereas from memory I did a "clear config all", then just ran "failover" and volia!


I've flogged the unit on ebay, so can't check. Sorry

Nagaraja Thanthry Tue, 09/07/2010 - 18:20
User Badges:
  • Cisco Employee,

Hello Golly,


What you said is correct as long as the secondary device took over the

active role when the primary device (with UR license) was connected and it

went down. If you are trying to configure the FO device by itself, then it

will not work.


Regards,


NT

golly_wog Wed, 09/08/2010 - 04:11
User Badges:

Hi NT


I'm positive that it did mate - it would reboot every 24 hours though.


From memory I was running 7.2.


It was a 515, not 515E, but I guess that is incedental...?


From memory I need to get this to failover, that is why I said it needed it, basically unless this is activated no config would take effect.


From memory when it booted it would then detect no mate and switch to active.


My brain is getting old, but some stuff I can just about recall :-)


cheers

Nagaraja Thanthry Tue, 09/07/2010 - 18:47
User Badges:
  • Cisco Employee,

Hello Miguel,


Also, if it is viable, you can just install a new license to convert the

existing firewall to standalone mode. If it is working as standalone, even

Restricted license could work.


Regards,


NT

Actions

This Discussion