cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
533
Views
0
Helpful
7
Replies

Help regarding LAN-based Active/Standby failover on pix 7.0

fmatsa
Level 1
Level 1

Hi,

I wonder why my active/standby faiover status have waiting. And when I do sh failover state it failed on Hello not heard from mate at standby state (please see attachment)

Failover On

Cable status: N/A - LAN-based failover enabled

Failover unit Primary

Failover LAN Interface: failover GigabitEthernet1 (up)

Unit Poll frequency 1 seconds, holdtime 3 seconds

Interface Poll frequency 15 seconds

Interface Policy 1

Monitored Interfaces 3 of 250 maximum

failover replication http

Last Failover at: 02:39:25 MYT Apr 15 2006

This host: Primary - Active

Active time: 184985 (sec)

Interface inside (10.103.1.15): Normal (Waiting)

Interface outside (210.187.51.2): Normal (Waiting)

Interface dmz (210.187.51.81): Normal (Waiting)

Other host: Secondary - Standby Ready

Active time: 0 (sec)

Interface inside (0.0.0.0): Normal (Waiting)

Interface outside (0.0.0.0): Normal (Waiting)

Interface dmz (0.0.0.0): Normal (Waiting)

Stateful Failover Logical Update Statistics

Link : failover GigabitEthernet1 (up)

Stateful Obj xmit xerr rcv rerr

General 101718 0 419 0

sys cmd 419 0 419 0

up time 0 0 0 0

RPC services 0 0 0 0

TCP conn 74719 0 0 0

UDP conn 21655 0 0 0

ARP tbl 4928 0 0 0

Xlate_Timeout 0 0 0 0

VPN IKE upd 0 0 0 0

VPN IPSEC upd 0 0 0 0

VPN CTCP upd 0 0 0 0

VPN SDI upd 0 0 0 0

VPN DHCP upd 0 0 0 0

Logical Update Queue Information

Cur Max Total

Recv Q: 0 2 419

Xmit Q: 0 2 104936

Is there anything wrong with my configuration?

I'm using LAN-based Active/Standby failover.

I'm attached my firewall configuration, sh failover, sh failover state, and sh failover history.

2 Accepted Solutions

Accepted Solutions

Fernando_Meza
Level 7
Level 7

by looking at your configs .. the IP addresses for the standby unit are missing .. It should read something liket this :

interface Ethernet0

nameif outside

ip address 209.165.201.1 255.255.255.224 standby 209.165.201.2

View solution in original post

exactly right !!!

View solution in original post

7 Replies 7

Fernando_Meza
Level 7
Level 7

by looking at your configs .. the IP addresses for the standby unit are missing .. It should read something liket this :

interface Ethernet0

nameif outside

ip address 209.165.201.1 255.255.255.224 standby 209.165.201.2

Thanks for your answer. But do I need to put standby ip on all interface (outside,inside,dmz) ?

yes and also it is recommended to use a dedicated switch for the LAN interface connection. Also make sure the switch ports where ALL then interfaces are connected is configured as switchport fast.

Could you advise on the static route for the router infront of the firewall? how do I include the standby ip??

-fauzi

you don't need it as the IP addresses in only for failover to work. you only need to make sure the ip addresses (active and standby ) are available. When failover ocurrs the PIXes will change their MAC address and IP addresses and so this change will be transparent for the router ... from its view it only needs to know the ip address of your active PIX.

So, you means the standby ip is for communication only? for example:

Pix A(Active)

interface Ethernet0

nameif outside

ip address 209.165.201.1 255.255.255.224 standby 209.165.201.2

Pix B(Standby)

interface Ethernet0

nameif outside

ip address 209.165.201.1 255.255.255.224 standby 209.165.201.2

If Pix A goes down and Pix B becomes active, it will still using ip address 209.165.201.1 to propogate the traffic, is it?

exactly right !!!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: