cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
262
Views
0
Helpful
4
Replies

PIX 525 failover failed-why?

olsonc0510
Level 1
Level 1

We had a failover last weekend and I can't figure out why it didn't go as it should have. The logs show this sequence of events:

103005 (Secondary) Other firewall reporting failure.

105009 (Secondary) Testing on interface 3 Passed

105003 (Secondary) Monitoring on interface 2 waiting

105003 (Secondary) Monitoring on interface 0 waiting

105003 (Secondary) Monitoring on interface 1 waiting

0=outside

1=inside

2=failsafe

3=CSS-DMZ

According to the log, It appeared that traffic continued after that. However, no one was getting in. When I got to the device, the interfaces were down on the primary but "line" was up. I manually enabled the interfaces again and finally, the secondary took over and went active. After a reboot of the primary, it took back control and all was well. Why didn't failover go through when it was first kicked off?

All I can think of is that something caused the interfaces to go down which included the failsafe interface so the failover couldn't complete. Any ideas?

4 Replies 4

mgaysek
Level 1
Level 1

Just a couple of quick thoughts. Can you verfiry the two firewalls are sync'd?

Do they both share the same switch for those interfaces and that failed? Is statefull failover enabled?

I can verify that they are now. However, I just came into this environment so not sure if they were before. From what I understand, a sync doesn't have to be done manually. I can only assume "yes". Stateful failover is enabled and they are on the same switch.

If the switch that joins those interfaces fails, then those interfaces will not be available. When the interface is in monitoring state it means it is waiting for it to come up. I am thinking it was the switch that joins the two firewalls that failed and not the firewall. Here is a doc that discuss the pix failover.

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278a.html

Hope this helps.

Thanks for the info. I may not have been specific enough. They share a switch for incoming traffic, but the failover interfaces are connected via a crossover cable.The traffic that was denied was specific to the firewall. Ironically the failover did go through the entire process once I enabled the interfaces (including the interface that has the crossover cable). I guess the question is, what caused the interfaces to go down including the failover interface? I will test again next downtime. Thanks for your thoughts.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: