I have a set of 520's that I had Stateful Failover running fine on. I upgraded to 6.3 code and moved from conduits to access-list. Now I can't seem to get failover to work properly again. When I bring up the Secondary unit everything checks out fine except the stateful interface stays in (waiting) mode then after the polling period it takes over as active unit. Then they repeat and the Primary takes over after the 30 seconds or whatever it is. I got two new 515's in and I am getting the same thing with these. I have it configured the same way as I did when it was working. Am I missing something new in 6.3? I did it just like it says in the documentation. I'm lost here...HELP
How are your stateful failover links defined and connected? Direct between pixes using cross-over cable or thru a layer 2/3 switch? Also is the pix interface configured for failover a dedicated interface? And how is that interface configured for duplex and speed settings?
Did you notice anything interesting in the logs of the pixes with regards to failover or interface operation?
Thanks for yor quick reply. I have a direct connection between them with a crossover cable. The interface is dedicated, and I have it configured as the failover link stateful (interface name is stateful) I have an ip of 127.0.0.5 for the active, 127.0.0.6 for the failover interface. I used to have it set at auto, but then when I upgraded it I changed it to 100full. I then tried going back to auto, just to see if that was doing it even though I know it is recomendend to be at 100full. Either way it did the same thing. On the new firewalls that I am testing on I am getting a "110001: no route to 127.0.0.6 from 127.0.0.5" error. Which I thought maybe I found it!! But being that the stateful interface is assigned to that network I shouldn't have to put a route statement in, and even when I try to it doesn't show up in the config and it stills gives me the same error. Do you think it might have something to do with that IP? It worked before with that one, but maybe 6.3 is different?
Well I have now changed the IP on the stateful interface to a 172.16 address instead of the 127.0.0.0 address, and it is now working fine. Does anyone know if there is a problem now with using the 127.x.x.x address for the stateful interface?
The 127.0.0.X network is considered a bogon (bogus outside network) address space. Based on your descriptions, I would guess that we added some changes to later code to prevent the use of 127.0.0.X addresses on interfaces. In general, it is required that you assign routable addresses to each interface on the 2 failover PIX's. Each interface does need to send packets to the like interface on the opposite PIX. Hope this helps.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :