Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Silver

PIX Interface in Normal(Waiting) state, and testing continuously

PIX 535, OS 6.3.1

Following a failover we are observing that some of the interfaces on the primary and secondary PIX are in Normal (Waiting) status. In the log, we see that those interfaces are continuously undergoing the testing process.

I know the interface will go into "testing" mode if it donot receive hellos from the other unit within a specified time. The interface status will be "waiting" if the interface receives one hello and is waiting for the second hello.

However what concerns me is that the interfaces are continuously in testing mode, and showing waiting status. Any ideas what could be the problem? Is there some network connectivity issues preventing the hellos from reaching the other units, or has the PIX interface gone bad.

Thanks for any help!!

pixfirewall# sh fail

Failover On

Cable status: Normal

Reconnect timeout 0:00:00

Poll frequency 15 seconds

This host: Secondary - Active

Active time: 563565 (sec)

Interface outside (x.x.x.x): Normal

Interface inside (x.x.x.x): Normal

Interface State (x.x.x.x): Normal (Waiting)

Interface XO (x.x.x.x): Normal (Waiting)

Interface DMZ_Web (x.x.x.x): Normal (Waiting)

Interface VPN (x.x.x.x): Normal

Other host: Primary - Standby

Active time: 14400 (sec)

Interface outside (x.x.x.x): Normal

Interface inside (x.x.x.x): Normal

Interface State (0.0.0.0): Normal (Waiting)

Interface XO (0.0.0.0): Normal (Waiting)

Interface DMZ_Web (x.x.x.x): Normal (Waiting)

Interface VPN (x.x.x.x): Normal

2003-06-26 07:12:58 Kernel.Alert 192.168.31.3 Jun 26 2003 07:12:58: %PIX-1-104004: (Primary) Switching to OK.

2003-06-26 07:12:58 Kernel.Alert 192.168.31.3 Jun 26 2003 07:12:58: %PIX-1-105003: (Primary) Monitoring on interface 5 waiting

2003-06-26 07:12:58 Kernel.Alert 192.168.31.3 Jun 26 2003 07:12:58: %PIX-1-105003: (Primary) Monitoring on interface 1 waiting

2003-06-26 07:12:58 Kernel.Alert 192.168.31.3 Jun 26 2003 07:12:58: %PIX-1-105003: (Primary) Monitoring on interface 0 waiting

2003-06-26 07:12:59 Kernel.Alert 192.168.31.2 Jun 26 2003 07:12:59: %PIX-1-105008: (Secondary) Testing Interface 4

2003-06-26 07:13:03 Kernel.Alert 192.168.31.2 Jun 26 2003 07:13:03: %PIX-1-105009: (Secondary) Testing on interface 4 Passed

2003-06-26 07:13:13 Kernel.Alert 192.168.31.3 Jun 26 2003 07:13:13: %PIX-1-104004: (Primary) Switching to OK.

2003-06-26 07:13:13 Kernel.Alert 192.168.31.3 Jun 26 2003 07:13:13: %PIX-1-104004: (Primary) Switching to OK.

2003-06-26 07:13:18 Kernel.Alert 192.168.31.2 Jun 26 2003 07:13:18: %PIX-1-105008: (Secondary) Testing Interface 4

2003-06-26 07:13:20 Kernel.Alert 192.168.31.2 Jun 26 2003 07:13:20: %PIX-1-105009: (Secondary) Testing on interface 4 Passed

2003-06-26 07:13:28 Kernel.Alert 192.168.31.3 Jun 26 2003 07:13:28: %PIX-1-105004: (Primary) Monitoring on interface 5 normal

2003-06-26 07:13:28 Kernel.Alert 192.168.31.3 Jun 26 2003 07:13:28: %PIX-1-105004: (Primary) Monitoring on interface 1 normal

2003-06-26 07:13:28 Kernel.Alert 192.168.31.3 Jun 26 2003 07:13:28: %PIX-1-105004: (Primary) Monitoring on interface 0 normal

2003-06-26 07:13:35 Kernel.Alert 192.168.31.2 Jun 26 2003 07:13:35: %PIX-1-105008: (Secondary) Testing Interface 4

2003-06-26 07:13:39 Kernel.Alert 192.168.31.2 Jun 26 2003 07:13:39: %PIX-1-105009: (Secondary) Testing on interface 4 Passed

2 REPLIES
Bronze

Re: PIX Interface in Normal(Waiting) state, and testing continuo

Have you plugged any cables on those interface? Lleaving it empty might also be a reason for this behaviour.

New Member

Re: PIX Interface in Normal(Waiting) state, and testing continuo

Assuming that your unconnected interfaces are shut down, I would lean toward a speed mismatch between the hub/switch and the firewall ints. If possible, avoid "auto" on both the hub/switch and the firewall and use fixed values instead.

You also might try simply reseating the cables in question.

403
Views
0
Helpful
2
Replies