Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Pix keeps failing over

what type of logging should i turn on to find out why my PIX 515 version 6.3.4 keeps failing over?

Here are the loggs i have so far:

104002: (Primary) Switching to STNDBY - switch to failed state

104003: (Primary) Switching to FAILED.

105009: (Primary) Testing on interface 1 Failed

105003: (Primary) Monitoring on interface 0 waiting

104004: (Primary) Switching to OK.

105003: (Primary) Monitoring on interface 1 waiting

105004: (Primary) Monitoring on interface 1 normal

105004: (Primary) Monitoring on interface 0 normal

105005: (Primary) Lost Failover communications with mate on interface 0

105008: (Primary) Testing Interface 0

103003: (Primary) Other firewall network interface 0 failed.

104001: (Primary) Switching to ACTIVE - mate interface failed.

105009: (Primary) Testing on interface 0 Passed

305006: portmap translation creation failed for protocol 50 src inside:7.x.x.x dst outside:67.x.x.x

305005: No translation group found for icmp src outside:64.x.x.x dst inside:204.x.x.x (type 8, code 0)

305005: No translation group found for icmp src outside:64.x.x.x dst inside:204.x.x.x (type 8, code 0)

305005: No translation group found for icmp src outside:64.x.x.x dst inside:204.x.x.x (type 8, code 0)

305006: portmap translation creation failed for protocol 50 src inside:7.4.92.100 dst outside:67.70.238.26

105003: (Primary) Monitoring on interface 1 waiting

105003: (Primary) Monitoring on interface 0 waiting

305006: portmap translation creation failed for protocol 50 src inside:7.x.x.x dst outside:67.x.x.x

105004: (Primary) Monitoring on interface 1 normal

105004: (Primary) Monitoring on interface 0 normal

I also have a SYSlog going and am seeing messages like:

Deny IP Spoof from (0.0.0.0) to 204.x.x.x on interface outside

and

Deny IP due to Land Attack from 204.5.5.1 to 204.5.5.1

Any help would be great.

2 REPLIES
Bronze

Re: Pix keeps failing over

From the log messages it looks like your having problems on the Ethernet 0 interface (usually this is the outside interface), so I'd suggest you focus your attention there. This sort of problem is usually caused by physical or configuration issues on the LAN infrastructure between the two PIX's. For example, are the speed and duplex setting had coded on the PIX interfaces and the switches they're connected to? If you have Cisco switches, have you configured the ports appropriately? Here's Cisco's recommendation:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/failover.htm#wp1060018

What do the logs from the other PIX say? Anything specific about e0? While it would be possible for an attack to cause connectivity problems between your PIX outside interfaces, I'd expect to see a lot of syslog messages instead of a few, so I'd look more at the Layer 1, 2, and 3 aspects of your LAN infrastructure on the outside interfaces.

Good luck!

Dana

New Member

Re: Pix keeps failing over

Hi Dave,

We are facing exactly the same issue that you faced regarding the pix failing over continously. we also have the same logs that you were getting. how did you manage to solve the issue?

165
Views
0
Helpful
2
Replies
CreatePlease login to create content