cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1015
Views
0
Helpful
12
Replies

Failover

lambay2000
Level 2
Level 2

Hello Friends,



Please find the attached output for show failover:

Configuring failover on PIX with IOS 7.2.2  with Active Active license on simulator

int e3

no shut

failover
failover lan unit primary
failover link failover Ethernet3
failover interface ip failover 192.168.2.6 255.255.255.0 standby 192.168.2.7.

After this i booted the secondary firewwall and applied a write standby command on active unit but no output,In stateful failover we dont need to specify on the standby unit but still i executed the  below command.

int e3

no shut

failover
failover lan unit secondary
failover link failover Ethernet3
failover interface ip failover 192.168.2.6 255.255.255.0 standby 192.168.2.7

From the output i think the cable connection between the 2 firewall.It is simulator so there is no point for straight and cross but the interfaces are up and protocol is also up.????? Correct me if i m wrong.

Thanks

12 Replies 12

John Blakley
VIP Alumni
VIP Alumni

In your config, it doesn't see the secondary firewall. Can you ping the secondary inside interface from the primary? Is the inside address of your secondary 192.168.1.7?

HTH,

John

HTH, John *** Please rate all useful posts ***

Hello,

yes the inside interface of secondary is 192.168.1.7. Iti is pingable

Is it i m missing anything in my configs, My above steps for stateful failover are correct.

Thanks

Can you post the interface configurations from both firewalls and the failover information?

John

HTH, John *** Please rate all useful posts ***

Dear,

Attached are the configs for Secondary PIX.

My topology is, L3 switch connecting 2 firewall inside interface.and a dedicated interface for failover on the firewall.and also DMZ interface connecting to router.

In my previous configs i have choosen ethernet 3 as a failover interface but now i have changed to ehternet 4.on both the PIX.

Okay, I see the problem. You have a STATE interface configured, but not the LAN side. Try this:

failover lan interface LAN eth4
failover interface ip LAN 192.168.2.6 255.255.255.0 standby 192.168.2.7

I believe you can use the same interface for LAN and STATE. Your state interface is used to roll over the xlate tables. You don't *need* a state interface, but all connections would need to be manually reconnected again.

*EDIT*: You'll need to do this on both firewalls

Try that and let me know.

John

HTH, John *** Please rate all useful posts ***

Dear John,

It's the same situation,

I m getting logs on console " NO response from Mate"

Thanks

On the LAN and State interfaces, can you ping each other?

From the primary, try to ping the secondary:

ping 192.168.2.7

From the secondary, try to ping the primary:

ping 192.168.2.6

You may want to remove the STATE interface until you get the LAN side working too.

John

HTH, John *** Please rate all useful posts ***

Dear John,

I have cleared failover configs by  the command "clear configure failover "

I m able to ping 192.168.1.6 and 192.168.1.7 which are the inside interface IP address but i m not able to ping failover ip address 192.168.2.6.and 192.168.2.7.

The state interface configuration has been cleared from the interface configuration.

It looks fine. What simulator are you using? Can you do a "sh int ip brief" and post those results?

HTH, John *** Please rate all useful posts ***

Dear,

I m using GNS3

PIX-1(config)#   sh int ip brief
Interface                  IP-Address      OK? Method Status                Prot
ocol
Ethernet0                  172.16.1.1      YES CONFIG up                    up
Ethernet1                  192.168.1.6     YES CONFIG up                    up
Ethernet2                  10.146.254.2    YES CONFIG up                    up
Ethernet3                  unassigned      YES unset  up                    up
Ethernet4                  192.168.2.6     YES unset  up                    up

#####################################################################

PIX2(config)# sh int ip brief
Interface                  IP-Address      OK? Method Status                Prot
ocol
Ethernet0                  unassigned      YES unset  up                    up
Ethernet1                  192.168.1.7     YES manual up                    up
Ethernet2                  unassigned      YES unset  up                    up
Ethernet3                  unassigned      YES unset  up                    up
Ethernet4                  192.168.2.6     YES unset  up                    up

The only thing that I can figure is that GNS is having a problem. Your configs are correct, but the problem is that the secondary thinks it's the primary because of the LAN address of 192.168.2.6. (It's the same as the real primary).

Here's a real configuration from my ASAs:

Primary:

failover
failover lan unit primary
failover lan interface LAN GigabitEthernet1/2
failover link STATE GigabitEthernet1/1
failover interface ip LAN 10.14.14.1 255.255.255.252 standby 10.14.14.2
failover interface ip STATE 10.15.15.1 255.255.255.252 standby 10.15.15.2

sh int ip brie

GigabitEthernet1/1         10.15.15.1      YES unset  up                    up
GigabitEthernet1/2         10.14.14.1      YES unset  up                    up

Secondary:

failover
failover lan unit secondary
failover lan interface LAN GigabitEthernet1/2
failover link STATE GigabitEthernet1/1
failover interface ip LAN 10.14.14.1 255.255.255.252 standby 10.14.14.2
failover interface ip STATE 10.15.15.1 255.255.255.252 standby 10.15.15.2

sh int ip brie

GigabitEthernet1/1         10.15.15.2      YES unset  up                    up
GigabitEthernet1/2         10.14.14.2      YES unset  up                    up

When the unit is in standby mode, then it will be using the standby address of .7, not the .6 that it is using. Otherwise, your configs look right. Oh, and just to double check, make sure that the interfaces aren't shut that are being used for failover. That happened to me one day in GNS where it showed it apply the configuration, but the interface was shut. (It doesn't show in your config, but just to check.)

John

HTH, John *** Please rate all useful posts ***

Dear John,

In my sh ip int brief output my protocols are up,

The configs u advice me to do by removing state and apply to LAN , we have configured LAN based failover by changing command to LAN. I m pretty sure ??

U have used 2 seperate interface for LAN and stateful failover can i use 1 interface for stateful and LAN.?????

failover lan interface LAN GigabitEthernet1/2  ------------------------>this is LAN based failover  ????
failover link STATE GigabitEthernet1/1 -----------------------------> this is stateful failover???

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: