Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

[pix transparent mode failover]

i'm testing failover with transparent mode and it seems to work fine when the active box goes down.

but i've been wondering if a 'monitor-interface' scenario is supposed to work with transparent mode. i actually tested this and it doesn't.

what i would like to happen is that if i have an active/standby pix scenario in transparent mode; when i disconnect (say) the outside interface, the active pix detects the 'link down'. i was hoping this would cause a failover event from active to standby, but it doesn't.

i'm aware that a monitor-interface scenario is somewhat L3 based, so a pix routed mode comes in handy. but i've been trying to get this to work and the active pix, just won't failover when in transparent mode.

anybody have an answer on this issue?



New Member

Re: [pix transparent mode failover]

Do you have a copy of your config? Failover is possible in transparent mode. I suspect something in your failover config is not setup correctly.

New Member

Re: [pix transparent mode failover]

my config only has the the basic failover commands and monitor interface commands. please keep in mind that in routed mode, failover works properly. i'm particularly interested in failover caused by an interface going down, instead of the whole active pix.

here's the config, thanks a lot!

firewall transparent



interface Ethernet0

description out

speed 100

duplex full

nameif outside

security-level 0


interface Ethernet1

speed 100

duplex full

nameif inside

security-level 100


interface Ethernet2

description LAN/STATE Failover Interface



hostname PIX


boot system flash:/pix702.bin

ftp mode passive

access-list inside extended permit ip any any

access-list outside extended permit ip any any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address


failover lan unit primary

failover lan interface folink Ethernet2

failover polltime interface 3

failover interface-policy 50%

failover link folink Ethernet2

failover interface ip folink standby

monitor-interface outside

monitor-interface inside

no asdm history enable

arp timeout 14400

access-group outside in interface outside

access-group inside in interface inside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp

telnet outside

telnet inside

telnet timeout 5

ssh outside

ssh inside

ssh timeout 5

console timeout 0


New Member

Re: [pix transparent mode failover]

You have the line:

failover interface-policy 50%

This means that 50% of the interfaces need to go down to achieve a failover. I think this is your issue. Change this to:

failover interface-policy 1

...or just remove the line since the default is to failover on one interface failure.

Let me know how this works for you. Rate if it works and solves your issue!

New Member

Re: [pix transparent mode failover]

actually, dennt. this is an old configuration capture (i didn't have one with all the things i've tried).

i have used that command you suggested.

i also tried 'failover interface-policy 1%'.

i might open a case and see what the tac has to say about it.

thanks a lot!


New Member

Re: [pix transparent mode failover]

the proble with thsi config is you are missing the secondary manangement address

the command

ip address

should be

ip address standby

the will be the failover ip address from the secondary firewall.

The failover policy command determine when to trigger failover.


New Member

Re: [pix transparent mode failover]

also do not forget to add a default route

route outside 0 0 (if thei is you default route)

Note the management ip addresses and the default route must be in the same network .

eg from your config network