×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

LAN-based failover problem

Unanswered Question
Dec 23rd, 2002
User Badges:

Hi all,


I have configured two PIX515E with 6.2(2) OS for failover operation. The two devices are connected with the failover cable and they seem to work properly. If I configure on the primary active FW the lan-based failover, I get the following messages:


LAN-based Failover: trying to contact peer.

LAN-based Failover: Send hello msg and start failover monitoring

LAN-based Failover Warning, received bad signature pkt


If I check the LAN operation with the

sh failover lan detail

I see on both device that they have exchanged 2 packets. After it no more messages are exchanged. On the primary I see thet it is the active and the secondary is failed. On the secondary I see that it is the secopndary and is in standby and the other device is secondary too and is in standby.


What can be the problem?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
tvanginneken Mon, 12/23/2002 - 11:06
User Badges:
  • Silver, 250 points or more

Hi,


is there a switch between the two firewalls? It could be that spanning tree on the switch is causing your problem. Try to enable portfast on the switch for each port a pix interface is connected to.


More info on this page:


http://www.cisco.com/warp/public/110/failover.html


(do a search on 'portfast')


Kind Regards,

Tom


gsebok Tue, 12/24/2002 - 04:40
User Badges:

Hi Tom,

there isn't any switch between the devices. They are connected via a crossover cable.

tvanginneken Tue, 12/24/2002 - 09:15
User Badges:
  • Silver, 250 points or more

Hi,


have a look at this document:


http://www.cisco.com/warp/public/110/failover.html


Somewhere in the text you will find these two lines:


"It is recommended that you connect the Primary and Secondary PIXes with a dedicated switch. Do not use crossover cables."


I don't know is this is really a solution to you problem, but you could give it a try.


Merry Christmas :-)


Tom

bs0000554 Sat, 01/04/2003 - 16:02
User Badges:

If you do not set failover lan key on both site , it´s may be the solution

b-pelphrey Mon, 01/06/2003 - 13:33
User Badges:

From what you are saying you are using the provide Cisco failover cable?? The cable that tells you which side is primary or not. correct? If so, you should not be using the lan failover configuration. That is for if you go thru a switch or something like that.


Try something like this:


failover

failover ip address outside x.x.x.x

failover ip address dmz x.x.x.x

failover ip address inside x.x.x.x

failover ip address failover x.x.x.x

failover link failover


This is just an example.


Hope this helps.

bs0000554 Tue, 01/07/2003 - 15:29
User Badges:

I was having a problem like yours

No Im not using the serial cable. Im using the failover LAN mode.

you need to define the password for the PIX failover security

Use the configuration above + the

"failover lan key " command Im both units .

You need to define also what unit is the primary/secondary by default

Go to the PDM session of failover configuration and

click the ? icon. See the examples


Actions

This Discussion