(Waiting) suggest hello not received so Failover Monitoring Has Not Begun.
This happens when failover has not started to monitor the network interfaces. Failover does not start to monitor the network interfaces until it has heard the second "hello" packet from the other unit on that interface. This takes about 30 seconds. If the unit is attached to a network switch that runs Spanning Tree Protocol (STP), this takes twice the "forward delay" time configured in the switch (typically configured as 15 seconds), plus this 30 second delay. This is because at PIX bootup and immediately following a failover event, the network switch detects a temporary bridge loop. Upon detection of this loop, it stops forwarding packets on these interfaces for the "forward delay" time. It then enters the "listen" mode for an additional "forward delay" time, during which time the switch listens for bridge loops but not forwarding traffic (and thus not forwarding failover "hello" packets). After twice the forward delay time (30 seconds), traffic resumes flowing. Each PIX remains in "waiting" mode until it hears 30 seconds worth of "hello" packets from the other unit. During the time the PIX is passing traffic, it does not fail the other unit based on not hearing the "hello" packets. All other failover monitoring still occurs (that is, Power, Interface Loss of Link, and Failover Cable "hello").
Cisco strongly recommends that customers enable portfast on all switch ports that connect to PIX interfaces. In addition, channeling and trunking need to be disabled on these ports. Thus, if the interface of the PIX goes down during failover, the switch does not have to wait 30 seconds while the port transitions from a listening to learning to forwarding state.
but the failover is working fine when i switch off the primary unit but in our existing network we setup the failover with version 6.3 i have given the command # failover ip outside xxxx xxxx and also when i give #show failover it shows all primary interface IP and all secondary interface ip
PIX Version 7.2(3)
ip address x.x.x19.179 255.255.255.248
ip address 10.x.21.2 255.255.255.0
ip address 10.x.1.254 255.255.255.0
description STATE Failover Interface
no ip address
no ip address
failover polltime unit 3 holdtime 9
failover link STATE Ethernet3
failover interface ip STATE 172.16.35.1 255.255.255.0 standby 172.16.35.2
in 7.2 it shows only primary unit ip and statefull interface ip
i dont know its normal or i need to do some other config
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :