Hi Andrew,

Thanks for your time on this. I have just started working on this network and the pix setup has been in for a few years. Duing my checks of the network I have noticed this failover problem.

The two pix are connected via the failover cable.

The failover config is:

failover

failover timeout 0:00:00

failover poll 15

failover ip address outside XXX.173.100.34

failover ip address inside 172.22.66.141

failover ip address dmz 192.168.67.2

The outside and dmz interface is on VLAN217 (this is hooked up to a 3550 which is directly into the ISP cloud.)

The Inside interfaces are on VLAN66 which is hooked up to a 6509

Any help is great

Hi,

Have you tried a reset? i.e. "failover reset"

HTH

Andrew.

how come your failover IP address is the same IP of your inside interface address?

i did not write this configuration. i have just started working for a company who have this set up in place. do you think i should chage the failover ip address?

I'll try "failover reset" does this have any side affects can I run it on a production system?

Change your failover IP address before reset.

When you do "failover reset" does the interface reset? If yes you can't do that in a production system.

so whats the constrainsts of the failover ip address. there has to be one for each interface i take it, therefore to change the failover ip it must be in the same subnet.

Forgive my ignorance some of this pix stuff is new to me.

Gavin

Hi,

Here's what the manual says:

failover reset

--------------

Force both units back to an unfailed state. Use this command once the fault has

been corrected. The failover reset command can be entered from either unit, but

it is best to always enter commands at the active unit. Entering the failover reset

command at the active unit will ?unfail? the standby unit.

So, the only effect should be to unfail the secondary - if the fault is still there then it'll just fail again.

Whether to run it on a production system depends on many factor, such as what change control system you run, what SLA's are in force, your relationship with the users, etc, etc. I personally think it's safe - but it's not my network ;-)

I noticed that you're not running stateful failover, so if you do have a failover then it'll take at least a minute to recover.

Up to you!

HTH

Andrew.

Hi,

Not sure what the other poster means about ip addresses - they look fine to me.

Andrew.

Hi andrew. What do you think if he changes The failover IP address.

I think Failover IP Address Failover do not need to be in the same subnet of your network. you can use a crossover between them.

Thanks Andrew, thats some excellent advice. There is a change control system, the company provides electronic trading services on the worlds stock exchanges!! so i'll probably have to wait until the trading day is over :).

The pix has three interfaces fa0/0,1,2 i.e. Outside,Inside and DMZ. From what I can see I would need another 802.3 interface connected to a switch in order to do stateful failover. Maybe this would be a good option! Am I right about the fact that I need another interface?

Sorry about all these questions but i've only recently became CCNA!! Respect to all CCIE :)

Could you also tell me how the actual failover interface is addressed in a pix. I thought you should be able to look at it like any interface e.g. show interface s0/0

Version is 6.1

Thanks

Gavin

ok. you have only 3 interfaces.