Customer with issue on failover all of a sudden. Still using the primary and secondary serial cable. When secondary comes up it assumes primary even though primary is up. Once up, the secondary does not pass any traffic and nothing works. Down the secondary and all is well. Where to start?
The key item to remember when speaking of failover on PIX is the Logical description (Primary/Secondary) and the Functional Description (Active/Standby). Above, since you are seemingly using Serial-based failover, I'm assuming that you are stating that the Secondary PIX is taking on the Functional role of Active.
Some of the steps that I would take to isolate the issue is:
1.) 'show failover' on both Primary and Secondary PIX. There may be a particular interface that is shown as 'Failed'.
2.) Enable 'logging buffered debugging'. At the time of the failover situation, issue the command 'show log | inc PIX-1'. All failover messages on the PIX (and ASA) are Level-1 messages.
3.) If the command is supported, and if the firewalls have not been rebooted since the failover, gather the output of 'show failover history'.
4.) From each of the firewalls, for each interface, ping the peer's interface. Assuming ping is permitted on the interface, all pings should be successful.
If the Secondary is active, confirm upstream/downstream routes and monitor the syslogs (at the 'debugging' level).
The output of these commands/tests will likely lead you to the cause of the failover issues.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :