Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ciscopix-wrong time in failover

Hi Team,

im having PIX-525 with 707 version and after we do a failover, my secondary firewall which is active now shows a wrong time..im getting the correct failover time in my Primary.

Can anyone suggest me what could be the problem..

show failover#

Failover unit Secondary

Version: Ours 7.0(7), Mate 7.0(7)
Last Failover at: 05:30:44 IST Jan 1 1993
This host: Secondary - Active
  Active time: 300075 (sec)

show version#

firewall up 3 days 11 hours
failover cluster up 3 days 11 hours

show clock#

16:04:22.508 IST Wed Oct 6 2010

10 REPLIES
New Member

Re: ciscopix-wrong time in failover

Hi Cisco Folks,

Can some one please help me...

Super Bronze

Re: ciscopix-wrong time in failover

The "Last Failover" date will only show when the secondary fails back to the Primary.

The Primary firewall is showing the correct failover time because it failed over to the secondary.

Only when the unit fails over from Active to standby, it will update the "Last Failover" time.

Hope that makes sense.

New Member

Re: ciscopix-wrong time in failover

Hi,

I have another set of firewalls, where the secondary is active and last failover time is showing correctly,, lets say on 2009.

Where as this firewall shows that the last failover happend only on 1993, which i can not accept it. Can not believe that the firewall was not failed over for the last 17yrs...could you pls think in that way...

Super Bronze

Re: ciscopix-wrong time in failover

Well, the firewall itself has only been up for 3 days and 11 hours as per the show version output provided:

show version#

firewall up 3 days 11 hours
failover cluster up 3 days 11 hours

So unfortunately, the failover cluster itself hasn't been up for a long time. The 1993 date is the default, and does not reflect an actual failover that has happend.

New Member

Re: ciscopix-wrong time in failover

Well, thats the good information..

will check and update you sir..

New Member

Re: ciscopix-wrong time in failover

Hi jennifer,

I strongly agree with this point. One last query i have is, could you please share me the cisco document for the same..would be great help

Super Bronze

Re: ciscopix-wrong time in failover

Here is the command reference for "show failover" output:

http://www.cisco.com/en/US/docs/security/asa/asa70/command/reference/s.html#wp1507535

Hope that helps.

New Member

Re: ciscopix-wrong time in failover

Hi thanks..

This does not say that the default year would be 1993 in last failover time unless not failedover...

Could you pls check this..

Super Bronze

Re: ciscopix-wrong time in failover

Well, as advised earlier, the last failover will only change when the firewall goes from Active to Standby/Failed status. You will not see the actual failover time on the last failover time as your secondary firewall did not fail over as it is the active firewall.

Unfortunately there is no documentation that will tell what is the default date listed for "last failover" as people are normally not concern about default last failover time in investigating failover problem. Plus your failover cluster has just been up for 3 days and 11 hours.

New Member

Re: ciscopix-wrong time in failover

Hi Rajesh,

The year 1993 could be explained in a way that , it is the earliest time that the PIX will accept. So the PIX does not accept dates or times before 1993. That is why the earliest time the failover can show is 1993.

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/c.html

Search for this text in the document "The maximum date range for the clock command is 1993 through 2035. A time prior to January 1, 1993, or after December 31, 2035, will not be accepted".

http://www.cisco.com/en/US/docs/security/asa/asa70/command/reference/c.html

Search this text "clock set"

I hope that helps

Thanks,

288
Views
0
Helpful
10
Replies