Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

PIX Failover Problems

Hello,

I have two PIX515 firewalls. One has a UR license and one has an FO license. I am not using LAN-based Stateful Failover and running 7.0(2) software.

My problem is that the failover doesn't seem to be working properly. I appear to be able to failover to the secondary unit fine, but if I do anything at all to the primary unit (which is in Standby according to 'show failover' output), I can no longer pass traffic on the Secondary (now primary) unit.

For instance - if I simply unplug either of the ethernet interfaces on the Primary, I can no longer ping the default gateway on the inside interface and thus cannot pass traffic through the Active firewall. If I turn off the Primary, I cannot pass traffic through the Active firewall. If I disable failover entirely and disconnect the serial cable, I still cannot do anything to the Primary, or I end up losing connectivity.

From what I can see, everything is configured properly and there's not really any complicated options to set when configuring failover. The failover config is below:

failover

failover polltime unit 1 holdtime 3

failover polltime interface 3

!

interface Ethernet0

speed 100

duplex full

nameif outside

security-level 0

ip address 192.168.1.10 255.255.255.240 standby 192.168.1.11

!

interface Ethernet1

speed 100

duplex full

nameif inside

security-level 100

ip address 10.200.0.1 255.255.255.248 standby 10.200.0.2

Is there something I'm missing?

4 REPLIES
Cisco Employee

Re: PIX Failover Problems

Hi,

can you send output of show failover from both pix

can you send output of show interface from both pix

thanks

Nadeem

New Member

Re: PIX Failover Problems

Sorry for the late response. The output has been attached.

Silver

Re: PIX Failover Problems

Are you doing Serial Cable Based Stateful Failover? If so, make sure the serial cable is connected to the appropriate FW. The ends are marked Primary and Secondary. Next, you need to setup the rest of the failover... like:

nameif ethernet4 FAILOVER sec50

interface ethernet4 100full

ip address FAILOVER 172.16.4.1 255.255.255.0

failover ip address FAILOVER 172.16.4.2 255.255.255.0

failover

failover ip address outside 192.168.1.11

failover ip address inside 10.200.0.2

failover link FAILOVER

New Member

Re: PIX Failover Problems

I am not doing stateful failover, as I mentioned in the original post. The cable is plugged in properly. It would generate an error if it wasn't.

195
Views
0
Helpful
4
Replies
CreatePlease to create content