Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Help regarding LAN-based Active/Standby failover on pix 7.0

Hi,

I wonder why my active/standby faiover status have waiting. And when I do sh failover state it failed on Hello not heard from mate at standby state (please see attachment)

Failover On

Cable status: N/A - LAN-based failover enabled

Failover unit Primary

Failover LAN Interface: failover GigabitEthernet1 (up)

Unit Poll frequency 1 seconds, holdtime 3 seconds

Interface Poll frequency 15 seconds

Interface Policy 1

Monitored Interfaces 3 of 250 maximum

failover replication http

Last Failover at: 02:39:25 MYT Apr 15 2006

This host: Primary - Active

Active time: 184985 (sec)

Interface inside (10.103.1.15): Normal (Waiting)

Interface outside (210.187.51.2): Normal (Waiting)

Interface dmz (210.187.51.81): Normal (Waiting)

Other host: Secondary - Standby Ready

Active time: 0 (sec)

Interface inside (0.0.0.0): Normal (Waiting)

Interface outside (0.0.0.0): Normal (Waiting)

Interface dmz (0.0.0.0): Normal (Waiting)

Stateful Failover Logical Update Statistics

Link : failover GigabitEthernet1 (up)

Stateful Obj xmit xerr rcv rerr

General 101718 0 419 0

sys cmd 419 0 419 0

up time 0 0 0 0

RPC services 0 0 0 0

TCP conn 74719 0 0 0

UDP conn 21655 0 0 0

ARP tbl 4928 0 0 0

Xlate_Timeout 0 0 0 0

VPN IKE upd 0 0 0 0

VPN IPSEC upd 0 0 0 0

VPN CTCP upd 0 0 0 0

VPN SDI upd 0 0 0 0

VPN DHCP upd 0 0 0 0

Logical Update Queue Information

Cur Max Total

Recv Q: 0 2 419

Xmit Q: 0 2 104936

Is there anything wrong with my configuration?

I'm using LAN-based Active/Standby failover.

I'm attached my firewall configuration, sh failover, sh failover state, and sh failover history.

  • Other Security Subjects
2 ACCEPTED SOLUTIONS

Accepted Solutions

Re: Help regarding LAN-based Active/Standby failover on pix 7.0

by looking at your configs .. the IP addresses for the standby unit are missing .. It should read something liket this :

interface Ethernet0

nameif outside

ip address 209.165.201.1 255.255.255.224 standby 209.165.201.2

Re: Help regarding LAN-based Active/Standby failover on pix 7.0

exactly right !!!

7 REPLIES

Re: Help regarding LAN-based Active/Standby failover on pix 7.0

by looking at your configs .. the IP addresses for the standby unit are missing .. It should read something liket this :

interface Ethernet0

nameif outside

ip address 209.165.201.1 255.255.255.224 standby 209.165.201.2

New Member

Re: Help regarding LAN-based Active/Standby failover on pix 7.0

Thanks for your answer. But do I need to put standby ip on all interface (outside,inside,dmz) ?

Re: Help regarding LAN-based Active/Standby failover on pix 7.0

yes and also it is recommended to use a dedicated switch for the LAN interface connection. Also make sure the switch ports where ALL then interfaces are connected is configured as switchport fast.

New Member

Re: Help regarding LAN-based Active/Standby failover on pix 7.0

Could you advise on the static route for the router infront of the firewall? how do I include the standby ip??

-fauzi

Re: Help regarding LAN-based Active/Standby failover on pix 7.0

you don't need it as the IP addresses in only for failover to work. you only need to make sure the ip addresses (active and standby ) are available. When failover ocurrs the PIXes will change their MAC address and IP addresses and so this change will be transparent for the router ... from its view it only needs to know the ip address of your active PIX.

New Member

Re: Help regarding LAN-based Active/Standby failover on pix 7.0

So, you means the standby ip is for communication only? for example:

Pix A(Active)

interface Ethernet0

nameif outside

ip address 209.165.201.1 255.255.255.224 standby 209.165.201.2

Pix B(Standby)

interface Ethernet0

nameif outside

ip address 209.165.201.1 255.255.255.224 standby 209.165.201.2

If Pix A goes down and Pix B becomes active, it will still using ip address 209.165.201.1 to propogate the traffic, is it?

Re: Help regarding LAN-based Active/Standby failover on pix 7.0

exactly right !!!

107
Views
0
Helpful
7
Replies
This widget could not be displayed.