Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
301
Views
3
Helpful
5
Replies

PIX 515 E FAILOVER Bundle issue- urgent help needed

binoyjosephstanly
Level 1
Level 1

‎04-22-2006 09:55 PM - edited ‎02-21-2020 12:51 AM

hi ,

i hv a pix 515e wit UR bundle and another pix with FO bundle. I am able to

ping the interfaces of the pix with UR bundle. Bt the same configuartion is

nt working with FO bundle and am nt able to ping the interfaces. I am attaching

the text of both pix while it boots up and the configuartions. below is

working configuration of UR bundle which i tried on FO bundle which is nt working with it.Any post will be appreciated.

Regds

Binoy

OCSPIX# sh run

: Saved

:

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxx

passwd xxxx

hostname OCSPIX

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

<--- More --->

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 172.16.1.1 255.255.255.0

ip address inside 192.168.1.5 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

pdm history enable

arp timeout 14400

global (outside) 1 172.16.1.2 netmask 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.x.x.x.16.1.3 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

<--- More --->

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.5.2.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:xxxx

: end

0 Helpful
5 Replies 5

haithamnofal
Level 3
Level 3

‎04-22-2006 11:06 PM

Hi Binoy,

I see from your configuration that failover is disabled, so you need to enable it by applying the following config on the primary unit but before you apply them make sure the failover cable is connected properly b/ the 2 units:

failover

failover ip address outside 172.16.1.2 255.255.255.0 (Change the address if it's used somewhere else)

failover ip address inside

192.168.1.6 255.255.255.0 (Change the address if it's used somewhere else)

wr mem

wr standby

run:show failover and look at the summary

Finally, it's better to go to the secondary and do "wr mem".

The configuration above will provide you with configuration replication and failover only, if you want stateful failover then you need to dedicate an interface between the 2 firewalls and do further configuration to define that interface and configure it.

Hope this helps,

Haitham

binoyjosephstanly
Level 1
Level 1
In response to haithamnofal

‎04-23-2006 08:40 PM

hi haitham,

thanks for your reply, my problm is not failover can you see the above configuration the same thing i coded in FO bundle pix its not pinging at all.

but the same code is working in UR bundle.i can ping using this configuration, need ur help in this.

Regds

Binoy

0 Helpful

haithamnofal
Level 3
Level 3
In response to binoyjosephstanly

‎04-24-2006 03:44 AM

Hi Binoy,

You shouldn't apply the same config on the FO bundle unit.. All what you need to do is to connect the FO cable between the 2 units and apply the FO configurations as I suggested then turn on the FO unit which will syncronize the config with the primary.

Once the syncronization is complete, you should be able to ping the secondary unit on the addresses you assigned to it with your failover configuration commands.

HTH,

Haitham

0 Helpful

binoyjosephstanly
Level 1
Level 1
In response to haithamnofal

‎04-24-2006 08:23 PM

hi haitham,

my issue is rt now its not connected as a FO unit,

as a stand alone unit it's not pinging with the above configuration.

just forget abt the failover, as a singler unit it's not working not pinging at all. pls verify the above configuration.

Regds

Binoy

0 Helpful

genghiskhan
Level 1
Level 1
In response to binoyjosephstanly

‎04-26-2006 03:00 PM

It is a FailOver Unit not a Normal Unit. A failover license will not work as a standalone firewall, unless it is connected to a firewall that has a UR license that has failed, and the UR license firewall is configured to failover to the FO licensed firewall.

AFAIK the FO license will not allow this unit to act as a standalone.

Roger

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card