Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
491
Views
0
Helpful
4
Replies

PIX LAN based failover

dcheetham
Level 1
Level 1

‎02-11-2003 05:58 AM - edited ‎02-20-2020 10:33 PM

I have two problems around LAN based failover which I would be grateful for help with

I have 2 PIX 535s , 1 with full license, 1 failover license. I have upgraded both IIXs to 6.22 and are configured for LAN based failover, which seems (superficially) to work. Problems are as follows:

1)I'm trying to upgrade PDM on the failover unit but, since the unit is in standby status, the LAN i/fs are inactive and I can't see the TFTP server. Is there any way in which I can update PDM in a PIX in standby mode?

2)If I fail the primary to get around this I can ping the TFTP server from the failover unit for about 1 minute but the then the failover unit goes back to standby status with the remote unit seen as active failed.

0 Helpful
4 Replies 4

b-pelphrey
Level 1
Level 1

‎02-11-2003 10:49 AM

I don't personally have any experience with upgrading, but how are you going about doing your point #2?...how are you failing over. Are you saying it fails over to the failover (making it the primary), but then failing back?? Or does it just die then.

I am just trying to get a better understanding.

Thanks.

0 Helpful

dcheetham
Level 1
Level 1
In response to b-pelphrey

‎02-11-2003 11:11 AM

The failover firewall becomes the primary and then goes back to being secondary, showung the other (powered down) firewall as primary failed

0 Helpful

b-pelphrey
Level 1
Level 1
In response to dcheetham

‎02-11-2003 11:35 AM

Have you ever seen something like this? If you have I apologize if not...

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a00800eb72f.html#23567

It give a lot of good information on different types of failover configs. It sounds very strange that your FO becomes inactive after 1min or so. Maybe check your config against some of these examples to see if you aren't missing something small.

As far as upgrading, this to me seems to be one of the concerns I have about the PIXs (unless I am missing something). But because you have to have all the same images and everything on both units it seems that you have to truly bring one of them off line and upgrade, then put that back in, and bring the other off line and upgrade, and then put back into FO mode. I personally would like to be able to do them while they were inline....that is just me.

I hope this helps out a little....

0 Helpful

c-dudley
Level 1
Level 1

‎02-11-2003 11:22 AM

Just a quick suggestion.

Why don't you open a connection to the failover ip address inside? When you connect to that address you are actually talking the the standby PIX.

Couldn't you tftp the pdm image up image up to the standby PIX that way?

I could be wrong, but I think that should work.

chris

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card