Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
437
Views
0
Helpful
0
Replies

Firewall Unable to sync configuration from Active, the interface down/up

jefferyshi
Level 1
Level 1

‎05-22-2015 07:55 AM - edited ‎03-11-2019 10:58 PM

Hello All,

 

I have HA PIX515E and Version is 7.2(2). but the HA is not working recently.
the primary firewall Unable to sync configuration from Active. the interface status is wired.
outside and inside interface are down, protocol up. but the switch which connect to are up/up. Cable is ok.
I don't understand why physical down, protocol up. this cause HA fail.
Reload firewall, the problem still persist. Try to shtudown switch port, firewall port will change status from down/up to down/down. once no shutdown switch port, the status change back to down/up.

 

these HA firewall are run at transparent mode. only 3 port used, inside, outside and state.

Please advice what the problem of this firewall.

 

 

Fw01-hkg2# sh failover 
Failover On 
Cable status: Normal
Failover unit Primary
Failover LAN Interface: N/A - Serial-based failover enabled
Unit Poll frequency 1 seconds, holdtime 3 seconds
Interface Poll frequency 3 seconds, holdtime 15 seconds
Interface Policy 1
Monitored Interfaces 2 of 250 maximum
Version: Ours 7.2(2), Mate 7.2(2)
Last Failover at: 00:00:19 UTC Jan 1 1993
        This host: Primary - Sync Config 
                Active time: 0 (sec)
                  Interface outside (x.x.x.117): No Link (Waiting)
                  Interface inside (x.x.x.117): No Link (Waiting)
        Other host: Secondary - Active 
                Active time: 66770183 (sec)
                  Interface outside (x.x.x.116): Unknown (Waiting)
                  Interface inside (x.x.x.116): Unknown (Waiting)

Stateful Failover Logical Update Statistics
        Link : state Ethernet5 (up)
        Stateful Obj    xmit       xerr       rcv        rerr      
        General         0          0          0          0         
        sys cmd         0          0          0          0         
        up time         0          0          0          0         
        RPC services    0          0          0          0         
        TCP conn        0          0          0          0         
        UDP conn        0          0          0          0         
        ARP tbl         0          0          0          0         
        L2BRIDGE Tbl    0          0          0          0         
        Xlate_Timeout   0          0          0          0         

        Logical Update Queue Information
                        Cur     Max     Total
        Recv Q:         0       1       0
        Xmit Q:         0       0       0
Fw01-hkg2# 
Fw01-hkg2#   
        Unable to sync configuration from Active
.

        Detected an Active mate
  


Fw01-hkg2# sh interface 
Interface Ethernet0 "outside", is down, line protocol is up------------------>physical down, but protocol up!!! 
  Hardware is i82559, BW 100 Mbps
        Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)
        Description: To-internet
        MAC address 0016.9d35.54ca, MTU 1500
        IP address x.x.x.116, subnet mask 255.255.255.224
        19621 packets input, 1182338 bytes, 0 no buffer
        Received 3444 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 L2 decode drops
        0 packets output, 0 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        0 lost carrier, 0 no carrier
        input queue (curr/max blocks): hardware (128/128) software (0/2)
        output queue (curr/max blocks): hardware (0/0) software (0/0)
  Traffic Statistics for "outside":
        0 packets input, 0 bytes
        0 packets output, 0 bytes
        0 packets dropped
      1 minute input rate 0 pkts/sec,  0 bytes/sec
      1 minute output rate 0 pkts/sec,  0 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec,  0 bytes/sec
      5 minute output rate 0 pkts/sec,  0 bytes/sec
      5 minute drop rate, 0 pkts/sec
Interface Ethernet1 "inside", is down, line protocol is up
  Hardware is i82559, BW 100 Mbps
        Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)
        Description: To-intranet
        MAC address 0016.9d35.54cb, MTU 1500
        IP address x.x.x.116, subnet mask 255.255.255.224
        244950 packets input, 118882273 bytes, 0 no buffer
        Received 3810 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 L2 decode drops
        0 packets output, 0 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        0 lost carrier, 0 no carrier
        input queue (curr/max blocks): hardware (128/128) software (0/30)
        output queue (curr/max blocks): hardware (0/0) software (0/0)
  Traffic Statistics for "inside":
        0 packets input, 0 bytes
        0 packets output, 0 bytes
        0 packets dropped
      1 minute input rate 0 pkts/sec,  0 bytes/sec
      1 minute output rate 0 pkts/sec,  0 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec,  0 bytes/sec
      5 minute output rate 0 pkts/sec,  0 bytes/sec
      5 minute drop rate, 0 pkts/sec
Interface Ethernet2 "", is administratively down, line protocol is down
  Hardware is i82559, BW 100 Mbps
        Auto-Duplex, Auto-Speed
        Available but not configured via nameif
        MAC address 000d.8810.e100, MTU not set
        IP address unassigned
        0 packets input, 0 bytes, 0 no buffer
        Received 0 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 L2 decode drops
        0 packets output, 0 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        0 lost carrier, 0 no carrier
        input queue (curr/max blocks): hardware (128/128) software (0/0)
        output queue (curr/max blocks): hardware (1/0) software (0/0)
Interface Ethernet3 "", is administratively down, line protocol is down
  Hardware is i82559, BW 100 Mbps
        Auto-Duplex, Auto-Speed
        Available but not configured via nameif
        MAC address 000d.8810.e101, MTU not set
        IP address unassigned
        0 packets input, 0 bytes, 0 no buffer
        Received 0 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 L2 decode drops
        0 packets output, 0 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        0 lost carrier, 0 no carrier
        input queue (curr/max blocks): hardware (128/128) software (0/0)
        output queue (curr/max blocks): hardware (1/0) software (0/0)
Interface Ethernet4 "", is administratively down, line protocol is down
  Hardware is i82559, BW 100 Mbps
        Auto-Duplex, Auto-Speed
        Available but not configured via nameif
        MAC address 000d.8810.e102, MTU not set
        IP address unassigned
        0 packets input, 0 bytes, 0 no buffer
        Received 0 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 L2 decode drops
        0 packets output, 0 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        0 lost carrier, 0 no carrier
        input queue (curr/max blocks): hardware (128/128) software (0/0)
        output queue (curr/max blocks): hardware (1/0) software (0/0)
Interface Ethernet5 "state", is up, line protocol is up
  Hardware is i82559, BW 100 Mbps
        Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)
        Description: STATE Failover Interface
        MAC address 000d.8810.e103, MTU 1500
        IP address 172.16.255.9, subnet mask 255.255.255.252
        9507 packets input, 572100 bytes, 0 no buffer
        Received 0 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        39 L2 decode drops
        1 packets output, 64 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        0 lost carrier, 0 no carrier
        input queue (curr/max blocks): hardware (128/128) software (0/19)
        output queue (curr/max blocks): hardware (0/1) software (0/1)
  Traffic Statistics for "state":
        9496 packets input, 360848 bytes
        1 packets output, 28 bytes
        0 packets dropped
      1 minute input rate 1 pkts/sec,  38 bytes/sec
      1 minute output rate 0 pkts/sec,  0 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 1 pkts/sec,  38 bytes/sec
      5 minute output rate 0 pkts/sec,  0 bytes/sec
      5 minute drop rate, 0 pkts/sec
Fw01-hkg2#      
        Unable to sync configuration from Active
.

        Detected an Active mate

------------------------------------------
this is currently active woring firewall.

Fw01-hkg2# sh failover 
Failover On 
Cable status: Normal
Failover unit Secondary
Failover LAN Interface: N/A - Serial-based failover enabled
Unit Poll frequency 1 seconds, holdtime 3 seconds
Interface Poll frequency 3 seconds, holdtime 15 seconds
Interface Policy 1
Monitored Interfaces 2 of 250 maximum
Version: Ours 7.2(2), Mate 7.2(2)
Last Failover at: 08:11:19 UTC Apr 9 2013
        This host: Secondary - Active 
                Active time: 66761104 (sec)
                  Interface outside (x.x.x.116): Normal (Waiting)
                  Interface inside (x.x.x.116): Normal (Waiting)
        Other host: Primary - Sync Config 
                Active time: 0 (sec)
                  Interface outside (x.x.x.117): Unknown 
                  Interface inside (x.x.x.117): Unknown 

Stateful Failover Logical Update Statistics
        Link : state Ethernet5 (up)
        Stateful Obj    xmit       xerr       rcv        rerr      
        General         2955811768 0          1218922170 0         
        sys cmd         32648513   0          32648513   0         
        up time         0          0          0          0         
        RPC services    0          0          0          0         
        TCP conn        2500391657 0          605165149  0         
        UDP conn        401387137  0          540195666  0         
        ARP tbl         20731698   0          38397584   0         
        L2BRIDGE Tbl    652763     0          2515258    0         
        Xlate_Timeout   0          0          0          0         

        Logical Update Queue Information
                        Cur     Max     Total
        Recv Q:         0       25      1463791247
        Xmit Q:         0       1       2955811768

 

Thank you so much.

 

Jeff
        

2 people had this problem
Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card