https://community.cisco.com/t5/network-security/pix-failover-problems/m-p/495741#M530044 <HTML><HEAD></HEAD><BODY><P>Are you doing Serial Cable Based Stateful Failover? If so, make sure the serial cable is connected to the appropriate FW. The ends are marked Primary and Secondary. Next, you need to setup the rest of the failover... like:</P><P></P><P>nameif ethernet4 FAILOVER sec50</P><P>interface ethernet4 100full</P><P>ip address FAILOVER 172.16.4.1 255.255.255.0</P><P>failover ip address FAILOVER 172.16.4.2 255.255.255.0</P><P></P><P></P><P>failover</P><P>failover ip address outside 192.168.1.11</P><P>failover ip address inside 10.200.0.2</P><P>failover link FAILOVER</P></BODY></HTML> Thu, 01 Dec 2005 23:08:32 GMT jwalker 2005-12-01T23:08:32Z https://community.cisco.com/t5/network-security/pix-failover-problems/m-p/495739#M530040 <P>Hello,</P><P>I have two PIX515 firewalls. One has a UR license and one has an FO license. I am not using LAN-based Stateful Failover and running 7.0(2) software.</P><P></P><P>My problem is that the failover doesn't seem to be working properly. I appear to be able to failover to the secondary unit fine, but if I do anything at all to the primary unit (which is in Standby according to 'show failover' output), I can no longer pass traffic on the Secondary (now primary) unit.</P><P></P><P>For instance - if I simply unplug either of the ethernet interfaces on the Primary, I can no longer ping the default gateway on the inside interface and thus cannot pass traffic through the Active firewall. If I turn off the Primary, I cannot pass traffic through the Active firewall. If I disable failover entirely and disconnect the serial cable, I still cannot do anything to the Primary, or I end up losing connectivity.</P><P></P><P>From what I can see, everything is configured properly and there's not really any complicated options to set when configuring failover. The failover config is below:</P><P></P><P>failover</P><P>failover polltime unit 1 holdtime 3</P><P>failover polltime interface 3</P><P>!</P><P>interface Ethernet0</P><P> speed 100</P><P> duplex full</P><P> nameif outside</P><P> security-level 0</P><P> ip address 192.168.1.10 255.255.255.240 standby 192.168.1.11 </P><P>!</P><P>interface Ethernet1</P><P> speed 100</P><P> duplex full</P><P> nameif inside</P><P> security-level 100</P><P> ip address 10.200.0.1 255.255.255.248 standby 10.200.0.2 </P><P></P><P>Is there something I'm missing?</P> Fri, 21 Feb 2020 08:33:49 GMT https://community.cisco.com/t5/network-security/pix-failover-problems/m-p/495739#M530040 evantol 2020-02-21T08:33:49Z https://community.cisco.com/t5/network-security/pix-failover-problems/m-p/495740#M530042 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>can you send output of show failover from both pix</P><P>can you send output of show interface from both pix</P><P></P><P>thanks</P><P>Nadeem</P></BODY></HTML> Thu, 01 Dec 2005 22:15:32 GMT https://community.cisco.com/t5/network-security/pix-failover-problems/m-p/495740#M530042 nkhawaja 2005-12-01T22:15:32Z https://community.cisco.com/t5/network-security/pix-failover-problems/m-p/495741#M530044 <HTML><HEAD></HEAD><BODY><P>Are you doing Serial Cable Based Stateful Failover? If so, make sure the serial cable is connected to the appropriate FW. The ends are marked Primary and Secondary. Next, you need to setup the rest of the failover... like:</P><P></P><P>nameif ethernet4 FAILOVER sec50</P><P>interface ethernet4 100full</P><P>ip address FAILOVER 172.16.4.1 255.255.255.0</P><P>failover ip address FAILOVER 172.16.4.2 255.255.255.0</P><P></P><P></P><P>failover</P><P>failover ip address outside 192.168.1.11</P><P>failover ip address inside 10.200.0.2</P><P>failover link FAILOVER</P></BODY></HTML> Thu, 01 Dec 2005 23:08:32 GMT https://community.cisco.com/t5/network-security/pix-failover-problems/m-p/495741#M530044 jwalker 2005-12-01T23:08:32Z https://community.cisco.com/t5/network-security/pix-failover-problems/m-p/495742#M530046 <HTML><HEAD></HEAD><BODY><P>I am not doing stateful failover, as I mentioned in the original post. The cable is plugged in properly. It would generate an error if it wasn't.</P></BODY></HTML> Fri, 02 Dec 2005 01:52:54 GMT https://community.cisco.com/t5/network-security/pix-failover-problems/m-p/495742#M530046 evantol 2005-12-02T01:52:54Z https://community.cisco.com/t5/network-security/pix-failover-problems/m-p/495743#M530048 <HTML><HEAD></HEAD><BODY><P>Sorry for the late response. The output has been attached.</P><P></P><P> </P><P></P></BODY></HTML> Wed, 07 Dec 2005 23:32:26 GMT https://community.cisco.com/t5/network-security/pix-failover-problems/m-p/495743#M530048 evantol 2005-12-07T23:32:26Z