We have a PIX 515 pair and I configured PIX failover using the failover serial cable, and here is the status when I run the command SH FAILOVER on the Primary
Cable status: Normal
Reconnect timeout 0:00:00
Poll frequency 15 seconds
failover replication http
This host: Primary - Active
Active time: 70320 (sec)
Interface intf2 (192.168.176.250): Normal
Interface intf3 (10.0.0.1): Link Down (Waiting)
Interface outside (188.8.131.52): Normal
Interface inside (184.108.40.206): Normal
Other host: Secondary - Standby
Active time: 0 (sec)
Interface intf2 (192.168.176.251): Normal
Interface intf3 (10.0.0.2): Link Down (Waiting)
Interface outside (220.127.116.11): Normal (Waiting)
Interface inside (18.104.22.168): Normal
Stateful Failover Logical Update Statistics
Link : Unconfigured.
I have 3 questions regarding the PIX Failover
1) We were using interface 3 (intf3) temporarily and we later unplugged the cable. There is no cable connected to Interface 3 (intf3) on the primary PIX or to the standby PIX. It shows interface gb-ethernet0 "intf3" is up, line protocol is down, which is obvious
My question would be, if I shutdown Interface 3 (intf3) on the primary PIX, Will the Interface on the Standby would also be shutdown or should I manually console to standby and shutdown the corresponding interface. I am not sure of how to shutdown the interface on both the PIXs without any problems.
2) Interface outside (22.214.171.124) on the Standby shows that monitoring is not yet started (waiting). When I check the logs on the standby PIX, I see the following error. I am not sure if I am missing something here.
Jun 6 09:16:14 126.96.36.199 %PIX-2-106016: Deny IP spoof from (188.8.131.52) to 184.108.40.206 on interface outside
Jun 6 09:16:29 220.127.116.11 %PIX-2-106016: Deny IP spoof from (18.104.22.168) to 22.214.171.124 on interface outside
Jun 6 09:16:44 126.96.36.199 %PIX-2-106016: Deny IP spoof from (188.8.131.52) to 184.108.40.206 on interface outside
3) If I want to configure Stateful Failover instead of just the failover using the interface 3 (intf3), what is the best of doing it
Hi, to answer your first question, you should shutdown the interface on the primary PIX, issue a "write mem" or "write standby" command and the interface will shutdown on the standby unit. Question 2, are you using a hub or a switch for the outside interfaces? If your using a switch, make sure spanning tree is disabled. Can you ping 220.127.116.11 from the primary PIX? Question 3, your going to need to add an additional Ethernet interface on the primary and standby units. You then cross connect the interfaces and use the "failover link" command to specify the interface used for stateful failover.
I cannot ping on the external interface of the stanby ie 18.104.22.168 but able to do so on the internal interfaces. If the problem is with the spanning tree on the switch how are internal interfaces able to talk. Any help in this regard is greatly appreciated
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...