My customer has 2 PIX 515e boxes. He has not configured any failover ip addresses. In the output of show failover, all the interfaces are in waiting state. BUT the failover is still working. It is weird because the configuration does not have any failvoer ip's configured.
Cable status: Normal
Reconnect timeout 0:00:00
Poll frequency 15 seconds
Last Failover at: 23:15:21 IST Sat Jun 2 2007
This host: Primary - Active
Active time: 145650 (sec)
Interface outside (x.x.x.x): Normal (Waiting)
Interface inside (x.x.x.x)(Waiting)
Interface intf2 (x.x.x.x) Link Down (Shutdown)
Interface intf3 (x.x.x.x): Normal (Waiting)
Interface intf4 (127.0.0.1): Link Down (Shutdown)
Interface intf5 (127.0.0.1): Link Down (Shutdown)
Other host: Secondary - Standby
Active time: 0 (sec)
Interface outside (0.0.0.0): Normal (Waiting)
Interface inside (0.0.0.0): Normal (Waiting)
Interface intf2 (0.0.0.0): Link Down (Shutdown)
Interface intf3 (0.0.0.0): Normal (Waiting)
Interface intf4 (0.0.0.0): Link Down (Shutdown)
Interface intf5 (0.0.0.0): Link Down (Shutdown)
the configuration is:
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
we tested by switching off the primary pix and to my surprise the standby pix took the IP addresses of the primary and traffic was flowing normally. Please let me know if this is normal.
I will have to preface this with saying "I believe", as I am not 100% on my answer:
Then, "it depends".
If you have the Serial Failover cable attached, then even without a Failover IP address configured, the two PIX boxes will "know" each other, and keep their configurations syncronized. If you shut down the primary pix, the failover box will see the loss, and take over as the primary. They will NOT have any State or Session activity, so current connections will drop, and need to be re-established. Adding the failover interface and cables will allow State infomation to be maintained, so connections will not drop. (Important for Citrix or Mainframe connectivity)
If there is no Failover cable attached, then this would not be normal.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...