12-23-2002 09:37 AM - edited 03-09-2019 01:29 AM
Hi all,
I have configured two PIX515E with 6.2(2) OS for failover operation. The two devices are connected with the failover cable and they seem to work properly. If I configure on the primary active FW the lan-based failover, I get the following messages:
LAN-based Failover: trying to contact peer.
LAN-based Failover: Send hello msg and start failover monitoring
LAN-based Failover Warning, received bad signature pkt
If I check the LAN operation with the
sh failover lan detail
I see on both device that they have exchanged 2 packets. After it no more messages are exchanged. On the primary I see thet it is the active and the secondary is failed. On the secondary I see that it is the secopndary and is in standby and the other device is secondary too and is in standby.
What can be the problem?
12-23-2002 11:06 AM
Hi,
is there a switch between the two firewalls? It could be that spanning tree on the switch is causing your problem. Try to enable portfast on the switch for each port a pix interface is connected to.
More info on this page:
http://www.cisco.com/warp/public/110/failover.html
(do a search on 'portfast')
Kind Regards,
Tom
12-24-2002 04:40 AM
Hi Tom,
there isn't any switch between the devices. They are connected via a crossover cable.
12-24-2002 09:15 AM
Hi,
have a look at this document:
http://www.cisco.com/warp/public/110/failover.html
Somewhere in the text you will find these two lines:
"It is recommended that you connect the Primary and Secondary PIXes with a dedicated switch. Do not use crossover cables."
I don't know is this is really a solution to you problem, but you could give it a try.
Merry Christmas :-)
Tom
01-04-2003 04:02 PM
If you do not set failover lan key
01-06-2003 01:33 PM
From what you are saying you are using the provide Cisco failover cable?? The cable that tells you which side is primary or not. correct? If so, you should not be using the lan failover configuration. That is for if you go thru a switch or something like that.
Try something like this:
failover
failover ip address outside x.x.x.x
failover ip address dmz x.x.x.x
failover ip address inside x.x.x.x
failover ip address failover x.x.x.x
failover link failover
This is just an example.
Hope this helps.
01-07-2003 03:29 PM
I was having a problem like yours
No Im not using the serial cable. Im using the failover LAN mode.
you need to define the password for the PIX failover security
Use the configuration above + the
"failover lan key
You need to define also what unit is the primary/secondary by default
Go to the PDM session of failover configuration and
click the ? icon. See the examples
01-08-2003 02:20 AM
Hi all!
All my problems has been solved after I had red this topic:
Bye!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: