can anyone offer a suggestion to this problem. The secondary device is showing failed. I assume that this is because the hello packets are not being recieved on the failover interface. I think it may be a static(inside,outside) command. Is there anyway of debug this to find out whats stopping the hello command.
dub1# sh failover
Cable status: Normal
Reconnect timeout 0:00:00
Poll frequency 15 seconds
This host: Primary - Active
Active time: 22538970 (sec)
Interface dmz (192.168.67.1): Normal (Waiting)
Interface outside (220.127.116.11): Normal (Waiting)
Interface inside (172.22.66.140): Normal (Waiting)
Other host: Secondary - Standby (Failed)
Active time: 497700 (sec)
Interface dmz (192.168.67.2): Normal
Interface outside (217.x.100.x): Normal
Interface inside (172.22.66.141): Normal
Stateful Failover Logical Update Statistics
Link : Unconfigured.
You don't say whether this is a new install or an existing one which has since failed...
Anyway - this doc gives a lot of detail and help with troubleshooting failovers:
it's unlikely to be a problem with a static statement because statics are not used as part of the failover process. It could be a problem switch or ports not in a common vlan or something like that though.
A diagram and the pix configs might give us more clues...
Thanks for your time on this. I have just started working on this network and the pix setup has been in for a few years. Duing my checks of the network I have noticed this failover problem.
The two pix are connected via the failover cable.
The failover config is:
failover timeout 0:00:00
failover poll 15
failover ip address outside XXX.173.100.34
failover ip address inside 172.22.66.141
failover ip address dmz 192.168.67.2
The outside and dmz interface is on VLAN217 (this is hooked up to a 3550 which is directly into the ISP cloud.)
The Inside interfaces are on VLAN66 which is hooked up to a 6509
Any help is great
i did not write this configuration. i have just started working for a company who have this set up in place. do you think i should chage the failover ip address?
Change your failover IP address before reset.
When you do "failover reset" does the interface reset? If yes you can't do that in a production system.
so whats the constrainsts of the failover ip address. there has to be one for each interface i take it, therefore to change the failover ip it must be in the same subnet.
Forgive my ignorance some of this pix stuff is new to me.
Here's what the manual says:
Force both units back to an unfailed state. Use this command once the fault has
been corrected. The failover reset command can be entered from either unit, but
it is best to always enter commands at the active unit. Entering the failover reset
command at the active unit will ?unfail? the standby unit.
So, the only effect should be to unfail the secondary - if the fault is still there then it'll just fail again.
Whether to run it on a production system depends on many factor, such as what change control system you run, what SLA's are in force, your relationship with the users, etc, etc. I personally think it's safe - but it's not my network ;-)
I noticed that you're not running stateful failover, so if you do have a failover then it'll take at least a minute to recover.
Up to you!
Thanks Andrew, thats some excellent advice. There is a change control system, the company provides electronic trading services on the worlds stock exchanges!! so i'll probably have to wait until the trading day is over :).
The pix has three interfaces fa0/0,1,2 i.e. Outside,Inside and DMZ. From what I can see I would need another 802.3 interface connected to a switch in order to do stateful failover. Maybe this would be a good option! Am I right about the fact that I need another interface?
Sorry about all these questions but i've only recently became CCNA!! Respect to all CCIE :)
Could you also tell me how the actual failover interface is addressed in a pix. I thought you should be able to look at it like any interface e.g. show interface s0/0
Version is 6.1
yeah 3 interfaces, I don't think there is any point in spending money on adding a new interface. we are going to move the server farms here to a data center so the plan will be to use new firewalls... i.e. go with a self defending network!
congrats on the ccna - the first step on a long road!
regarding how failover works, the absolute best guide is the cisco configuration guide for the version of software that you're running, a search of CCO should turn this up quickly - there's a whole chapter on configuring failover. If you read that in conjuction with the pix failover document (link above) then you should have a pretty good idea of how it all works, how to configure it, and what to do if something goes wrong.
In a nutshell, because the pixes share a config you need a method of giving the standby box a different ip - that method is the "failover ip" command. The standby box knows it's the standby because it has a cable end marked "standby" plugged into it (that's really how it works - the serial cable defines which box is the primary and which is the secondary). The active pix always has the interface defined ip and the standby pix always has the failover ip - they swap ip's in a failover situation.
Your original posting of the show failover command showed that all the pix hardware looked ok - all the interfaces on both pixes are up (and the IP's all look fine!) hence the suggestion to try "failover reset". If the lan interfaces can't send/receive hellos then the standby will just fail again - in that case you need to investigate the connectivity between the lan interfaces on the boxes.
I notice that you're running 6.1 - that's a real old version, so I'd think about upgrading if at all possible. (although you might need more ram/flash/etc) - and for the final point about whether you need an extra interface then the answer is a qualified yes. (you can actually configure failover on a data interface, but it's really not recommended and as of pix 7.0 the ability to do this is removed.)
off home now..
HTH - please rate posts if useful!
Thansk again Andrew, I'll take your advice and look forward to upgrading. I purchased the Cisco ASA and PIX firewall handbook which covers 7.0 so I may start migrating the config file peice by peice.
Thanks again for all of your help.
Have a great weekend.