10-19-2006
12:07 PM
- last edited on
02-21-2020
11:16 PM
by
cc_security_adm
I have configure my Primary PIX for failover to no avail, when I power up the secondary firewall it goes into active state. The two firewall aren't syncing sho failover on primary shows secondary firewall in failed state and visa versa. here is a copy of config:
interface Ethernet0
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.0 standby x.x.x.x
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.1.1.2 255.255.255.0 standby 10.1.1.3
!
interface Ethernet2
nameif dmz
security-level 50
ip address 10.1.60.1 255.255.255.0 standby 10.1.60.3
!interface Ethernet5
description state failover interface
nameif failover
security-level 0
no ip address
failover
failover polltime unit 5 holdtime 15
failover replication http
failover link failover
failover interface ip failover 172.16.x.x 255.255.255.0 standby 172.16.2.x. Please help both firewall are running 7.1(2)4 one has 128mb and the other is 64mb is the ram the problem?
10-19-2006 10:05 PM
This may be a silly question, but are all the interfaces on both firewalls plugged in right now? Could you post a "show fail" output for us to see?
-Eric
Please remember to rate all helpful posts.
10-20-2006 04:05 AM
Yes its up here it go:
Failover On
Cable status: Normal
Failover unit Primary
Failover LAN Interface: N/A - Serial-based failover enabled
Unit Poll frequency 5 seconds, holdtime 15 seconds
Interface Poll frequency 15 seconds
Interface Policy 1
Monitored Interfaces 6 of 250 maximum
failover replication http
Version: Ours 7.1(2)4, Mate Unknown
Last Failover at: 13:19:55 UTC Oct 19 2006
This host: Primary - Active
Active time: 81805 (sec)
Interface outside (x.x.x.x): Normal (Waiting)
Interface inside (10.1.1.2): Normal (Waiting)
Interface dmz (10.1.60.1): Normal (Waiting)
Interface intf3 (0.0.0.0): Link Down (Waiting)
Interface intf4 (0.0.0.0): Link Down (Waiting)
Interface failover (172.16.2.1): Normal (Waiting)
Other host: Secondary - Failed
Active time: 0 (sec)
Interface outside (x.x.x.x): Unknown (Waiting)
Interface inside (10.1.1.3): Unknown (Waiting)
Interface dmz (10.1.60.3): Unknown (Waiting)
Interface intf3 (0.0.0.0): Unknown (Waiting)
Interface intf4 (0.0.0.0): Unknown (Waiting)
Interface failover (172.16.2.2): Unknown (Waiting)
Stateful Failover Logical Update Statistics
Link : failover Ethernet5 (up)
Stateful Obj xmit xerr rcv rerr
General 0 0 0 0
sys cmd 0 0 0 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
VPN IKE upd 0 0 0 0
VPN IPSEC upd 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 0 0
Xmit Q: 0 0 0
10-20-2006 07:13 AM
Ok, the following link will shed some light on the situation. To run 7.x, a 515 needs 64MB memory for a restricted license, but 128 for unrestricted or failover license. It looks like you will need to upgrade the failover to 128 to keep using it.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_bulletin0900aecd8023c8d4.html
-Eric
Please remember to rate all helpful posts.
10-20-2006 07:36 AM
Thanks I guess this is why when I do turn it on the secondary pix becomes the active firewall it only has 64mbs of ram, eventhough the serial cable with the Primary label is connected to the primary firewall it failsover to the secondary.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: