06-03-2010 07:18 AM - edited 03-11-2019 10:54 AM
Hello Friends,
Please find the attached output for show failover:
Configuring failover on PIX with IOS 7.2.2 with Active Active license on simulator
int e3
no shut
failover
failover lan unit primary
failover link failover Ethernet3
failover interface ip failover 192.168.2.6 255.255.255.0 standby 192.168.2.7.
After this i booted the secondary firewwall and applied a write standby command on active unit but no output,In stateful failover we dont need to specify on the standby unit but still i executed the below command.
int e3
no shut
failover
failover lan unit secondary
failover link failover Ethernet3
failover interface ip failover 192.168.2.6 255.255.255.0 standby 192.168.2.7
From the output i think the cable connection between the 2 firewall.It is simulator so there is no point for straight and cross but the interfaces are up and protocol is also up.????? Correct me if i m wrong.
Thanks
06-03-2010 08:38 AM
In your config, it doesn't see the secondary firewall. Can you ping the secondary inside interface from the primary? Is the inside address of your secondary 192.168.1.7?
HTH,
John
06-03-2010 09:24 AM
Hello,
yes the inside interface of secondary is 192.168.1.7. Iti is pingable
Is it i m missing anything in my configs, My above steps for stateful failover are correct.
Thanks
06-03-2010 11:05 AM
Can you post the interface configurations from both firewalls and the failover information?
John
06-03-2010 11:54 AM
Dear,
Attached are the configs for Secondary PIX.
My topology is, L3 switch connecting 2 firewall inside interface.and a dedicated interface for failover on the firewall.and also DMZ interface connecting to router.
In my previous configs i have choosen ethernet 3 as a failover interface but now i have changed to ehternet 4.on both the PIX.
06-03-2010 12:01 PM
Okay, I see the problem. You have a STATE interface configured, but not the LAN side. Try this:
failover lan interface LAN eth4
failover interface ip LAN 192.168.2.6 255.255.255.0 standby 192.168.2.7
I believe you can use the same interface for LAN and STATE. Your state interface is used to roll over the xlate tables. You don't *need* a state interface, but all connections would need to be manually reconnected again.
*EDIT*: You'll need to do this on both firewalls
Try that and let me know.
John
06-03-2010 12:39 PM
Dear John,
It's the same situation,
I m getting logs on console " NO response from Mate"
Thanks
06-03-2010 12:44 PM
On the LAN and State interfaces, can you ping each other?
From the primary, try to ping the secondary:
ping 192.168.2.7
From the secondary, try to ping the primary:
ping 192.168.2.6
You may want to remove the STATE interface until you get the LAN side working too.
John
06-03-2010 12:58 PM
Dear John,
I have cleared failover configs by the command "clear configure failover "
I m able to ping 192.168.1.6 and 192.168.1.7 which are the inside interface IP address but i m not able to ping failover ip address 192.168.2.6.and 192.168.2.7.
The state interface configuration has been cleared from the interface configuration.
06-03-2010 01:03 PM
It looks fine. What simulator are you using? Can you do a "sh int ip brief" and post those results?
06-03-2010 01:11 PM
Dear,
I m using GNS3
PIX-1(config)# sh int ip brief
Interface IP-Address OK? Method Status Prot
ocol
Ethernet0 172.16.1.1 YES CONFIG up up
Ethernet1 192.168.1.6 YES CONFIG up up
Ethernet2 10.146.254.2 YES CONFIG up up
Ethernet3 unassigned YES unset up up
Ethernet4 192.168.2.6 YES unset up up
#####################################################################
PIX2(config)# sh int ip brief
Interface IP-Address OK? Method Status Prot
ocol
Ethernet0 unassigned YES unset up up
Ethernet1 192.168.1.7 YES manual up up
Ethernet2 unassigned YES unset up up
Ethernet3 unassigned YES unset up up
Ethernet4 192.168.2.6 YES unset up up
06-03-2010 01:20 PM
The only thing that I can figure is that GNS is having a problem. Your configs are correct, but the problem is that the secondary thinks it's the primary because of the LAN address of 192.168.2.6. (It's the same as the real primary).
Here's a real configuration from my ASAs:
Primary:
failover
failover lan unit primary
failover lan interface LAN GigabitEthernet1/2
failover link STATE GigabitEthernet1/1
failover interface ip LAN 10.14.14.1 255.255.255.252 standby 10.14.14.2
failover interface ip STATE 10.15.15.1 255.255.255.252 standby 10.15.15.2
sh int ip brie
GigabitEthernet1/1 10.15.15.1 YES unset up up
GigabitEthernet1/2 10.14.14.1 YES unset up up
Secondary:
failover
failover lan unit secondary
failover lan interface LAN GigabitEthernet1/2
failover link STATE GigabitEthernet1/1
failover interface ip LAN 10.14.14.1 255.255.255.252 standby 10.14.14.2
failover interface ip STATE 10.15.15.1 255.255.255.252 standby 10.15.15.2
sh int ip brie
GigabitEthernet1/1 10.15.15.2 YES unset up up
GigabitEthernet1/2 10.14.14.2 YES unset up up
When the unit is in standby mode, then it will be using the standby address of .7, not the .6 that it is using. Otherwise, your configs look right. Oh, and just to double check, make sure that the interfaces aren't shut that are being used for failover. That happened to me one day in GNS where it showed it apply the configuration, but the interface was shut. (It doesn't show in your config, but just to check.)
John
06-03-2010 01:33 PM
Dear John,
In my sh ip int brief output my protocols are up,
The configs u advice me to do by removing state and apply to LAN , we have configured LAN based failover by changing command to LAN. I m pretty sure ??
U have used 2 seperate interface for LAN and stateful failover can i use 1 interface for stateful and LAN.?????
failover lan interface LAN GigabitEthernet1/2 ------------------------>this is LAN based failover ????
failover link STATE GigabitEthernet1/1 -----------------------------> this is stateful failover???
Thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: