Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.


Weird issue with PIX failover


My customer has 2 PIX 515e boxes. He has not configured any failover ip addresses. In the output of show failover, all the interfaces are in waiting state. BUT the failover is still working. It is weird because the configuration does not have any failvoer ip's configured.

Failover On

Cable status: Normal

Reconnect timeout 0:00:00

Poll frequency 15 seconds

Last Failover at: 23:15:21 IST Sat Jun 2 2007

This host: Primary - Active

Active time: 145650 (sec)

Interface outside (x.x.x.x): Normal (Waiting)

Interface inside (x.x.x.x)(Waiting)

Interface intf2 (x.x.x.x) Link Down (Shutdown)

Interface intf3 (x.x.x.x): Normal (Waiting)

Interface intf4 ( Link Down (Shutdown)

Interface intf5 ( Link Down (Shutdown)

Other host: Secondary - Standby

Active time: 0 (sec)

Interface outside ( Normal (Waiting)

Interface inside ( Normal (Waiting)

Interface intf2 ( Link Down (Shutdown)

Interface intf3 ( Normal (Waiting)

Interface intf4 ( Link Down (Shutdown)

Interface intf5 ( Link Down (Shutdown)

the configuration is:


failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address intf2

no failover ip address intf3

no failover ip address intf4

no failover ip address intf5

we tested by switching off the primary pix and to my surprise the standby pix took the IP addresses of the primary and traffic was flowing normally. Please let me know if this is normal.

  • Firewalling

Re: Weird issue with PIX failover

I will have to preface this with saying "I believe", as I am not 100% on my answer:

Then, "it depends".

If you have the Serial Failover cable attached, then even without a Failover IP address configured, the two PIX boxes will "know" each other, and keep their configurations syncronized. If you shut down the primary pix, the failover box will see the loss, and take over as the primary. They will NOT have any State or Session activity, so current connections will drop, and need to be re-established. Adding the failover interface and cables will allow State infomation to be maintained, so connections will not drop. (Important for Citrix or Mainframe connectivity)

If there is no Failover cable attached, then this would not be normal.



This widget could not be displayed.