I have a PIX 515-E UR-FO bundle running 6.2(2) that's failing over when it shouldn't. Originally I narrowed down the failing over to right after I do a write mem but since then it's happened outside of that scenario as well.
I'm doing stateful failover with the hi-speed serial cable and a crossover cable connecting the 2 PIXs. None of my interfaces are set for "auto" duplexing and the config is < 30k lines. The MTU setting on all interfaces are 1500.
I've also double checked the configuration on my switches that connect to the PIXs and they're as simple as can be so there are no errors. Below is the failover portion of my config, nothing really out of the ordinary though I couldn't find what the "failover timeout 0:00:00" does or means. Also, the primary IP addresses are just .1's.
failover timeout 0:00:00
failover poll 8
failover ip address outside 10.0.0.2
failover ip address inside 10.0.1.2
failover ip address dmz2 10.0.2.2
failover ip address dmz1 10.0.3.2
failover ip address mgmt 10.0.4.2
failover ip address fover 10.0.5.2
failover link fover
Any help would be appreciated. Otherwise, I might have to blow away the configs on both PIXs and start from scratch. Thanks.
One more thing I forgot to mention: I checked all the HW specs and licenses and they're the same on both boxes with the exception of the 3DES license.
I hope this isn't the problem because I specifically asked the CIsco engineer during my license key upgrade on how that would effect failover and he said it wouldn't with the exception of any 3DES IPSEC connections.
I was wondering if you have found a solution to this problem? I have a customer with the same issue. My config looks the same as yours except I have failover poll 15 and I also have these additional commands:
failover lan unit primary
failover lan interface Failover
failover lan key ********
failover lan enable
I am running the same version of code but I don't have the high speed serial cable because the pix's are in seperate buildings.
I would be grateful if you can share anything you have found on this problem.
Greetings. I had the same problem initially and was told it was due to not having Cisco switches on the interfaces. :) Well, once we finally tracked things down, it was due to having ports that we weren't currently using (if3, etc) still up. Once we shutdown these unused interfaces, our failover stopped happing unnecessarily.
I have a failover bundle which is working fine and as far as I can see your configurations look okay. I see two different solutions used in this threat, one with serial failover cable and crossover cable and one without the serial cable with the failover link configured. Both could work, but in your case it doesn't
It is very important to remember that all enabled interfaces use hello packets to determine if both units could reach eachother. If you enable an interface on the primary unit and it is not connect to the network (line protocol down) the primary unit expects to receive hello packets and to see the line protocol up. If it sees the line protocol down or does not receive the hello packets on one of its enabled interfaces it tries to do a failover. I believe this is could be the case for you. Also remember that if you do not need statefull failover there is no need for the crossover cable (can not imagine why you would not have statefull failover, but still).
I'm not sure if a 3DES license on one unit and no license on the other unit could cause problems, but I assume the Cisco engineer knew what he was talking about, so, let's assume it doesn't affect the failover concept.
In the reply of dayar you can also see that enabled interfaces with no connected network is most likely causing this problem.
Have two very good URL's for you, in which failover is discribed in detail. In this documents you will find information about the failover timeout, and also on the hello packets I spoke about in my other reply. The URL's:
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...