You can simply telnet to the standby unit and do "show run" if you do not know the ip of standby, issue on primary pix show failover you will get output on standby ip.. also show failover will tell failover status, if ok, then your standby running config should be identical as primary.
That is my problem as every time I do "sh failover", this is what I get:
Cable status: Normal
Failover unit Primary
Failover LAN Interface: N/A - Serial-based failover enabled
Unit Poll frequency 15 seconds, holdtime 45 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 250 maximum
failover replication http
Version: Ours 7.2(2), Mate 7.2(2)
Last Failover at: 21:21:36 EST Mar 6 2008
This host: Primary - Active
Active time: 237825 (sec)
Interface outside (220.127.116.11): Normal (Waiting)
Interface inside (192.168.252.2): Normal (Waiting)
Interface intf2 (0.0.0.0): Link Down (Not-Monitored)
Interface intf3 (0.0.0.0): Link Down (Not-Monitored)
Interface intf4 (0.0.0.0): Link Down (Not-Monitored)
Interface intf5 (0.0.0.0): Link Down (Not-Monitored)
Other host: Secondary - Standby Ready
Active time: 690 (sec)
Interface outside (0.0.0.0): Normal (Waiting)
Interface inside (0.0.0.0): Normal (Waiting)
Interface intf2 (0.0.0.0): Unknown (Not-Monitored)
Interface intf3 (0.0.0.0): Unknown (Not-Monitored)
Interface intf4 (0.0.0.0): Unknown (Not-Monitored)
Interface intf5 (0.0.0.0): Unknown (Not-Monitored)
Stateful Failover Logical Update Statistics
Link : Unconfigured.
Please to go over the physical connectivity on your standby unit with respect to outside interface and inside interface, does the standby pix inside connects to a switch and on same vlan just as the primary?, in other words, if you have two firewalls in failover each firewall interface connection to a switch for example must match the same vlan and actually be connected, the same goes for standby unit outside interface connection to a switch.. if you have these connected to a switch , you can issue "failover reset " to restart failover, of course do it in non production hours., could you post config of failover portion from your primary pix.
Angel, go over this link to configure failover/standby configuration under code 7.x, I'll be on and off the forum, if you have any questions let us know.
sorry for not getting back sooner... monday mornings.....
I am now back at full speed on this project. It seems to me that this firewall is not setup for failover. Please confirm.
Also, before I do go ahead and configure (with your help obviously :) ) this 525 for failover, I was doing some readings last night and found out that there are 2 types of failover: Active/Active failover and Active/Standby. (btw, that document is one of the documents I downloaded and read last night...) So, I want to ask you which is the best of them or which do you recommend?
The Active/Active seduces me a bit as it also does load balancing, but again I am not too experienced on PIX failovers. I am just thinking "hey, if the secondary PIX will just be sitting there not doing any work, perhaps we'll give it some".... but again, I will follow the best and most recommended setup
Hi, looking at your config output pix is not configured for failover , first you need to do is firewall licensese assesment.
On Primary " show version " output should tell you at the end the type of failover lisence, e.i FO means Failover only , your standby show version output should be UR for unrestricted, FO and UR is Failover/Standby scenario, I think if you have Active/Active then you will see lisence differenlty, I will look it up.
Make assesment of what type of cable failover is there from PIX1- to PIX2 to deternmined whether is lanbase failover etc.. since you cannot telnet to standby you will have to console to it to get show ver info etc..
In the meantime see table 9 for licensing info.
Once you get assesment straight the link you read or the the one I provided in my second post gives example of standby/failover configuration .. I'll be more than happy to assist and Im very sure nepros will do as well.. I'll be off and on forum as Im a bit busy today.. but I'll try to lookup your model specs.
and what about the line that says "Active/Active" ?
Does this mean this 525 can only do Active/Active failover? or can it also do the Active/Standby type of failover?
it can do both. most likely you'll want active/standby.
Awesome. Thanks for confirming this. Looks like I'm all set in this PIX. For the backup PIX, do I need any kind of special license as well?
And yes, I read that article, as well as the one for Active/Active and the Active/Standby looks like the route to go.
But in which situations would you use Active/Active though? Distributing the load sounds like a good idea
active/active is when you have multiple contexts configured. if you have multiple contexts configured, you can't use VPN's.
you dont need any other special licenses.