I have pix 525 6.3(5) in FO config.i have 4 int. inside,outside,dmz1 & dmz2 with a cable based FO.
when i issue show failover command it shows ouside, dmz1 & dmz2 interface as Normal on both Active & standby unit.But on the inside interface it shows Normal on Active unit & Normal (Waiting) on the Standby unit. All interface are hardcode 100Full & connected through Switch.
If the PIX configuration is fine, i.e, IP address on active PIX and standby PIX are on same subnet, inside ports of both firewalls are connected to two ports on a switch which are on same VLAN, verify the physical connectivity if that is fine. Check if you are able to ping the inside interface IP of standby PIX from active PIX and vice-versa. If this does not work, we need to look at layer 1 issue. Mostly its either interface card on PIX, ports on the switch, cables, or VLAN issue on swithc. Please verify all these things are in place.
I am not able to ping the inside interface of the standby PIX from my ACTIVE PIX. I can ping the dmz interface of the standby PIX from ACTIVE. I changed the switch port also but shows the same Normal(waiting).when i disconnet the standby PIX inside interface & issue show failover it show the Linkdown(waiting)
Is it the physical port problem. it's a 4 port 100mbps card.the other 2 ports are working fine.
As you mentioned, from Active PIX, you are unable to ping the inside interface of standby PIX. To further zero down on the issue, enable icmp debug on the both PIXes, using "deb icmp tra" command. Now again try to ping the inside interface of standby PIX from active PIX. Notice on standby PIX if you recieve any ICMP packets. Debugs will show that if standby PIX recieved the ICMP packets, if it did and replied back, ICMP debug on active PIX will show if it recieved the ICMP replies back.
If we dont see any ICMP packets reaching the stanby PIX, the issue could be in between, i.e, the switch ports or cabling. From the internal network check if you are able to ping the inside interfaces of both the PIXes. Verify the CAM/ARP tables on the switch, also the VLAN configuration.
If possible, try connecting the inside interfaces of both the PIXes using a crossover cable directly. After this if things come up fine, it will definately indicate the problem with an intermediate device. If the interfaces are still not pinging then its surely a problem with one of the 4-port cards. Though this test is the most definitive test, but I understand that this might hamper your production, as you have to unplug the inside interfaces completely and connect them directly using a cross cable.
i tested enabling icmp trace.on the PIX1 i can see the icmp request coming & icmp reply send to PIX2. but pix2 is not responding.it certainly seems to be a problem of the port. can it happen that a single port of the 4-port card can fail. alternatively can i use different port nos for FO. i mean say eth3 on PIX1 & eth2 on PIX2 for Statefull failover.
It could be a problem with the port on PIX. Have you also tested pinging the PIX2 port from your switch/lan and see if PIX2 is recieving and replying to those?
"can i use different port nos for FO. i mean say eth3 on PIX1 & eth2 on PIX2 for Statefull failover."
No .. this will not work. However here is what we can try .. if possible though. Swap the interfaces.
- either swap the complete 4-port cards between PIX1 & PIX2 and see if problem shifts to PIX1.
- swap eth2 with eth3 on both pixes and see if problem shifts.
I understand this would be difficult to do in production, but if we have eliminated all the possible issues due to swith/switch ports/vlans/cables .. then it could be the PIX port also we may need to replace.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :