Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
606
Views
0
Helpful
7
Replies

LAN-based failover problem

gsebk
Level 1
Level 1

‎12-23-2002 09:37 AM - edited ‎03-09-2019 01:29 AM

Hi all,

I have configured two PIX515E with 6.2(2) OS for failover operation. The two devices are connected with the failover cable and they seem to work properly. If I configure on the primary active FW the lan-based failover, I get the following messages:

LAN-based Failover: trying to contact peer.

LAN-based Failover: Send hello msg and start failover monitoring

LAN-based Failover Warning, received bad signature pkt

If I check the LAN operation with the

sh failover lan detail

I see on both device that they have exchanged 2 packets. After it no more messages are exchanged. On the primary I see thet it is the active and the secondary is failed. On the secondary I see that it is the secopndary and is in standby and the other device is secondary too and is in standby.

What can be the problem?

Labels:
0 Helpful
7 Replies 7

tvanginneken
Level 4
Level 4

‎12-23-2002 11:06 AM

Hi,

is there a switch between the two firewalls? It could be that spanning tree on the switch is causing your problem. Try to enable portfast on the switch for each port a pix interface is connected to.

More info on this page:

http://www.cisco.com/warp/public/110/failover.html

(do a search on 'portfast')

Kind Regards,

Tom

0 Helpful

gsebok
Level 1
Level 1
In response to tvanginneken

‎12-24-2002 04:40 AM

Hi Tom,

there isn't any switch between the devices. They are connected via a crossover cable.

0 Helpful

tvanginneken
Level 4
Level 4
In response to gsebok

‎12-24-2002 09:15 AM

Hi,

have a look at this document:

http://www.cisco.com/warp/public/110/failover.html

Somewhere in the text you will find these two lines:

"It is recommended that you connect the Primary and Secondary PIXes with a dedicated switch. Do not use crossover cables."

I don't know is this is really a solution to you problem, but you could give it a try.

Merry Christmas :-)

Tom

0 Helpful

bs0000554
Level 1
Level 1

‎01-04-2003 04:02 PM

If you do not set failover lan key on both site , it´s may be the solution

0 Helpful

b-pelphrey
Level 1
Level 1
In response to bs0000554

‎01-06-2003 01:33 PM

From what you are saying you are using the provide Cisco failover cable?? The cable that tells you which side is primary or not. correct? If so, you should not be using the lan failover configuration. That is for if you go thru a switch or something like that.

Try something like this:

failover

failover ip address outside x.x.x.x

failover ip address dmz x.x.x.x

failover ip address inside x.x.x.x

failover ip address failover x.x.x.x

failover link failover

This is just an example.

Hope this helps.

0 Helpful

bs0000554
Level 1
Level 1
In response to b-pelphrey

‎01-07-2003 03:29 PM

I was having a problem like yours

No Im not using the serial cable. Im using the failover LAN mode.

you need to define the password for the PIX failover security

Use the configuration above + the

"failover lan key " command Im both units .

You need to define also what unit is the primary/secondary by default

Go to the PDM session of failover configuration and

click the ? icon. See the examples

0 Helpful

gsebok
Level 1
Level 1
In response to bs0000554

‎01-08-2003 02:20 AM

Hi all!

All my problems has been solved after I had red this topic:

http://www.cisco.com/en/US/customer/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a00800eb72f.html

Bye!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents