cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
504
Views
0
Helpful
4
Replies

Configuring PIX 515E for Active/Standby Cable-Base Failover

damrut5763
Level 1
Level 1

I have configure my Primary PIX for failover to no avail, when I power up the secondary firewall it goes into active state. The two firewall aren't syncing sho failover on primary shows secondary firewall in failed state and visa versa. here is a copy of config:

interface Ethernet0

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.0 standby x.x.x.x

!

interface Ethernet1

nameif inside

security-level 100

ip address 10.1.1.2 255.255.255.0 standby 10.1.1.3

!

interface Ethernet2

nameif dmz

security-level 50

ip address 10.1.60.1 255.255.255.0 standby 10.1.60.3

!interface Ethernet5

description state failover interface

nameif failover

security-level 0

no ip address

failover

failover polltime unit 5 holdtime 15

failover replication http

failover link failover

failover interface ip failover 172.16.x.x 255.255.255.0 standby 172.16.2.x. Please help both firewall are running 7.1(2)4 one has 128mb and the other is 64mb is the ram the problem?

4 Replies 4

ethiel
Level 3
Level 3

This may be a silly question, but are all the interfaces on both firewalls plugged in right now? Could you post a "show fail" output for us to see?

-Eric

Please remember to rate all helpful posts.

Yes its up here it go:

Failover On

Cable status: Normal

Failover unit Primary

Failover LAN Interface: N/A - Serial-based failover enabled

Unit Poll frequency 5 seconds, holdtime 15 seconds

Interface Poll frequency 15 seconds

Interface Policy 1

Monitored Interfaces 6 of 250 maximum

failover replication http

Version: Ours 7.1(2)4, Mate Unknown

Last Failover at: 13:19:55 UTC Oct 19 2006

This host: Primary - Active

Active time: 81805 (sec)

Interface outside (x.x.x.x): Normal (Waiting)

Interface inside (10.1.1.2): Normal (Waiting)

Interface dmz (10.1.60.1): Normal (Waiting)

Interface intf3 (0.0.0.0): Link Down (Waiting)

Interface intf4 (0.0.0.0): Link Down (Waiting)

Interface failover (172.16.2.1): Normal (Waiting)

Other host: Secondary - Failed

Active time: 0 (sec)

Interface outside (x.x.x.x): Unknown (Waiting)

Interface inside (10.1.1.3): Unknown (Waiting)

Interface dmz (10.1.60.3): Unknown (Waiting)

Interface intf3 (0.0.0.0): Unknown (Waiting)

Interface intf4 (0.0.0.0): Unknown (Waiting)

Interface failover (172.16.2.2): Unknown (Waiting)

Stateful Failover Logical Update Statistics

Link : failover Ethernet5 (up)

Stateful Obj xmit xerr rcv rerr

General 0 0 0 0

sys cmd 0 0 0 0

up time 0 0 0 0

RPC services 0 0 0 0

TCP conn 0 0 0 0

UDP conn 0 0 0 0

ARP tbl 0 0 0 0

Xlate_Timeout 0 0 0 0

VPN IKE upd 0 0 0 0

VPN IPSEC upd 0 0 0 0

VPN CTCP upd 0 0 0 0

VPN SDI upd 0 0 0 0

VPN DHCP upd 0 0 0 0

Logical Update Queue Information

Cur Max Total

Recv Q: 0 0 0

Xmit Q: 0 0 0

Ok, the following link will shed some light on the situation. To run 7.x, a 515 needs 64MB memory for a restricted license, but 128 for unrestricted or failover license. It looks like you will need to upgrade the failover to 128 to keep using it.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_bulletin0900aecd8023c8d4.html

-Eric

Please remember to rate all helpful posts.

Thanks I guess this is why when I do turn it on the secondary pix becomes the active firewall it only has 64mbs of ram, eventhough the serial cable with the Primary label is connected to the primary firewall it failsover to the secondary.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: