Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX Failover

can anyone offer a suggestion to this problem. The secondary device is showing failed. I assume that this is because the hello packets are not being recieved on the failover interface. I think it may be a static(inside,outside) command. Is there anyway of debug this to find out whats stopping the hello command.

dub1# sh failover

Failover On

Cable status: Normal

Reconnect timeout 0:00:00

Poll frequency 15 seconds

This host: Primary - Active

Active time: 22538970 (sec)

Interface dmz (192.168.67.1): Normal (Waiting)

Interface outside (217.173.100.33): Normal (Waiting)

Interface inside (172.22.66.140): Normal (Waiting)

Other host: Secondary - Standby (Failed)

Active time: 497700 (sec)

Interface dmz (192.168.67.2): Normal

Interface outside (217.x.100.x): Normal

Interface inside (172.22.66.141): Normal

Stateful Failover Logical Update Statistics

Link : Unconfigured.

18 REPLIES

Re: PIX Failover

Hi,

You don't say whether this is a new install or an existing one which has since failed...

Anyway - this doc gives a lot of detail and help with troubleshooting failovers:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094ea7.shtml

it's unlikely to be a problem with a static statement because statics are not used as part of the failover process. It could be a problem switch or ports not in a common vlan or something like that though.

A diagram and the pix configs might give us more clues...

HTH

Andrew.

New Member

Re: PIX Failover

Hi Andrew,

Thanks for your time on this. I have just started working on this network and the pix setup has been in for a few years. Duing my checks of the network I have noticed this failover problem.

The two pix are connected via the failover cable.

The failover config is:

failover

failover timeout 0:00:00

failover poll 15

failover ip address outside XXX.173.100.34

failover ip address inside 172.22.66.141

failover ip address dmz 192.168.67.2

The outside and dmz interface is on VLAN217 (this is hooked up to a 3550 which is directly into the ISP cloud.)

The Inside interfaces are on VLAN66 which is hooked up to a 6509

Any help is great

Re: PIX Failover

Hi,

Have you tried a reset? i.e. "failover reset"

HTH

Andrew.

New Member

Re: PIX Failover

how come your failover IP address is the same IP of your inside interface address?

New Member

Re: PIX Failover

i did not write this configuration. i have just started working for a company who have this set up in place. do you think i should chage the failover ip address?

New Member

Re: PIX Failover

I'll try "failover reset" does this have any side affects can I run it on a production system?

New Member

Re: PIX Failover

Change your failover IP address before reset.

When you do "failover reset" does the interface reset? If yes you can't do that in a production system.

New Member

Re: PIX Failover

so whats the constrainsts of the failover ip address. there has to be one for each interface i take it, therefore to change the failover ip it must be in the same subnet.

Forgive my ignorance some of this pix stuff is new to me.

Gavin

Re: PIX Failover

Hi,

Here's what the manual says:

failover reset

--------------

Force both units back to an unfailed state. Use this command once the fault has

been corrected. The failover reset command can be entered from either unit, but

it is best to always enter commands at the active unit. Entering the failover reset

command at the active unit will ?unfail? the standby unit.

So, the only effect should be to unfail the secondary - if the fault is still there then it'll just fail again.

Whether to run it on a production system depends on many factor, such as what change control system you run, what SLA's are in force, your relationship with the users, etc, etc. I personally think it's safe - but it's not my network ;-)

I noticed that you're not running stateful failover, so if you do have a failover then it'll take at least a minute to recover.

Up to you!

HTH

Andrew.

Re: PIX Failover

Hi,

Not sure what the other poster means about ip addresses - they look fine to me.

Andrew.

New Member

Re: PIX Failover

Hi andrew. What do you think if he changes The failover IP address.

New Member

Re: PIX Failover

I think Failover IP Address Failover do not need to be in the same subnet of your network. you can use a crossover between them.

New Member

Re: PIX Failover

Thanks Andrew, thats some excellent advice. There is a change control system, the company provides electronic trading services on the worlds stock exchanges!! so i'll probably have to wait until the trading day is over :).

The pix has three interfaces fa0/0,1,2 i.e. Outside,Inside and DMZ. From what I can see I would need another 802.3 interface connected to a switch in order to do stateful failover. Maybe this would be a good option! Am I right about the fact that I need another interface?

Sorry about all these questions but i've only recently became CCNA!! Respect to all CCIE :)

Could you also tell me how the actual failover interface is addressed in a pix. I thought you should be able to look at it like any interface e.g. show interface s0/0

Version is 6.1

Thanks

Gavin

New Member

Re: PIX Failover

ok. you have only 3 interfaces.

New Member

Re: PIX Failover

yeah 3 interfaces, I don't think there is any point in spending money on adding a new interface. we are going to move the server farms here to a data center so the plan will be to use new firewalls... i.e. go with a self defending network!

Gavin

Re: PIX Failover

Hi Gavin,

congrats on the ccna - the first step on a long road!

regarding how failover works, the absolute best guide is the cisco configuration guide for the version of software that you're running, a search of CCO should turn this up quickly - there's a whole chapter on configuring failover. If you read that in conjuction with the pix failover document (link above) then you should have a pretty good idea of how it all works, how to configure it, and what to do if something goes wrong.

In a nutshell, because the pixes share a config you need a method of giving the standby box a different ip - that method is the "failover ip" command. The standby box knows it's the standby because it has a cable end marked "standby" plugged into it (that's really how it works - the serial cable defines which box is the primary and which is the secondary). The active pix always has the interface defined ip and the standby pix always has the failover ip - they swap ip's in a failover situation.

Your original posting of the show failover command showed that all the pix hardware looked ok - all the interfaces on both pixes are up (and the IP's all look fine!) hence the suggestion to try "failover reset". If the lan interfaces can't send/receive hellos then the standby will just fail again - in that case you need to investigate the connectivity between the lan interfaces on the boxes.

I notice that you're running 6.1 - that's a real old version, so I'd think about upgrading if at all possible. (although you might need more ram/flash/etc) - and for the final point about whether you need an extra interface then the answer is a qualified yes. (you can actually configure failover on a data interface, but it's really not recommended and as of pix 7.0 the ability to do this is removed.)

off home now..

HTH - please rate posts if useful!

Andrew.

New Member

Re: PIX Failover

Thansk again Andrew, I'll take your advice and look forward to upgrading. I purchased the Cisco ASA and PIX firewall handbook which covers 7.0 so I may start migrating the config file peice by peice.

Thanks again for all of your help.

Have a great weekend.

Gav

New Member

Re: PIX Failover

can you ping Interface inside 172.22.66.141

262
Views
10
Helpful
18
Replies
CreatePlease to create content