04-16-2006 02:06 PM - edited 02-21-2020 12:50 AM
Hi,
I wonder why my active/standby faiover status have waiting. And when I do sh failover state it failed on Hello not heard from mate at standby state (please see attachment)
Failover On
Cable status: N/A - LAN-based failover enabled
Failover unit Primary
Failover LAN Interface: failover GigabitEthernet1 (up)
Unit Poll frequency 1 seconds, holdtime 3 seconds
Interface Poll frequency 15 seconds
Interface Policy 1
Monitored Interfaces 3 of 250 maximum
failover replication http
Last Failover at: 02:39:25 MYT Apr 15 2006
This host: Primary - Active
Active time: 184985 (sec)
Interface inside (10.103.1.15): Normal (Waiting)
Interface outside (210.187.51.2): Normal (Waiting)
Interface dmz (210.187.51.81): Normal (Waiting)
Other host: Secondary - Standby Ready
Active time: 0 (sec)
Interface inside (0.0.0.0): Normal (Waiting)
Interface outside (0.0.0.0): Normal (Waiting)
Interface dmz (0.0.0.0): Normal (Waiting)
Stateful Failover Logical Update Statistics
Link : failover GigabitEthernet1 (up)
Stateful Obj xmit xerr rcv rerr
General 101718 0 419 0
sys cmd 419 0 419 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 74719 0 0 0
UDP conn 21655 0 0 0
ARP tbl 4928 0 0 0
Xlate_Timeout 0 0 0 0
VPN IKE upd 0 0 0 0
VPN IPSEC upd 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 2 419
Xmit Q: 0 2 104936
Is there anything wrong with my configuration?
I'm using LAN-based Active/Standby failover.
I'm attached my firewall configuration, sh failover, sh failover state, and sh failover history.
Solved! Go to Solution.
04-16-2006 07:46 PM
by looking at your configs .. the IP addresses for the standby unit are missing .. It should read something liket this :
interface Ethernet0
nameif outside
ip address 209.165.201.1 255.255.255.224 standby 209.165.201.2
04-17-2006 12:35 AM
exactly right !!!
04-16-2006 07:46 PM
by looking at your configs .. the IP addresses for the standby unit are missing .. It should read something liket this :
interface Ethernet0
nameif outside
ip address 209.165.201.1 255.255.255.224 standby 209.165.201.2
04-16-2006 10:40 PM
Thanks for your answer. But do I need to put standby ip on all interface (outside,inside,dmz) ?
04-16-2006 10:54 PM
yes and also it is recommended to use a dedicated switch for the LAN interface connection. Also make sure the switch ports where ALL then interfaces are connected is configured as switchport fast.
04-16-2006 11:37 PM
Could you advise on the static route for the router infront of the firewall? how do I include the standby ip??
-fauzi
04-16-2006 11:44 PM
you don't need it as the IP addresses in only for failover to work. you only need to make sure the ip addresses (active and standby ) are available. When failover ocurrs the PIXes will change their MAC address and IP addresses and so this change will be transparent for the router ... from its view it only needs to know the ip address of your active PIX.
04-17-2006 12:22 AM
So, you means the standby ip is for communication only? for example:
Pix A(Active)
interface Ethernet0
nameif outside
ip address 209.165.201.1 255.255.255.224 standby 209.165.201.2
Pix B(Standby)
interface Ethernet0
nameif outside
ip address 209.165.201.1 255.255.255.224 standby 209.165.201.2
If Pix A goes down and Pix B becomes active, it will still using ip address 209.165.201.1 to propogate the traffic, is it?
04-17-2006 12:35 AM
exactly right !!!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: