topic Re: Pix 6.2 (failover to primary) in Network Security

Pix 6.2 (failover to primary)

vikrantarora — Fri, 21 Feb 2020 06:34:31 GMT

I recently joined a company where PIX firewall is installed. but the active link on failover is red , i want to make the primary pix as active. how do i do it?

Re: Pix 6.2 (failover to primary)

steve.barlow — Fri, 21 Feb 2003 18:14:46 GMT

Use the 'failover active' command to initiate a failover switch from the standby unit (or the 'no failover active' command from the active unit to initiate a failover switch). You can use this feature to return a failed unit to service, or to force an active unit off line for maintenance. Because the standby unit does not keep state information on each connection, all active connections will be dropped and must be re-established by the clients.

Verify with 'show failover' to make sure who is active.

Hope it helps.

Steve

Re: Pix 6.2 (failover to primary)

vikrantarora — Fri, 21 Feb 2003 20:33:40 GMT

steve,

thanks for the command. but I have another problem. I have 2 pix firewalls, let's say 'F' and 'P'.

The ip address of F is f.f.f.f and the ip address of P is p.p.p.p.

When I telnet into F and do config t , I get the following message:

Pix-Admin1# config t

**** WARNING ***

Configuration Replication is NOT performed from Standby unit to Active u

nit.

Configurations are no longer synchronized.

When I telnet into P and do show failover I get

Pix-Admin1(config)# sh fail

Failover On

Cable status: Normal

Reconnect timeout 0:00:00

Poll frequency 15 seconds

This host: Secondary - Active

Active time: 375 (sec)

Interface statefailover (3.3.3.1): Normal

Interface none2 (2.2.2.2): Link Down (Shutdo

Interface statefailover:5 (1.1.1.1): Link Do

Other host: Primary - Standby

Active time: 960 (sec)

Interface statefailover (3.3.3.2): Normal

Interface none2 (0.0.0.0): Link Down (Shutdo

Interface statefailover:5 (0.0.0.0): Link Do

I did " no failover active" and made the primary active. but I cant do config t on F. why so? and how do I synchronize the 2 firewalls and get rid of the warning.

Re: Pix 6.2 (failover to primary)

steve.barlow — Mon, 24 Feb 2003 14:13:46 GMT

F is your standby and P is your active. You shouldn't enter config changes on your standy, only your active. But your F is designated as your primary, so if you want to make it the active PIX again either enter the 'no failover active' command on the secondary unit (to switch service to the primary) or the 'failover active' command on the primary unit. Ideally you want F to be primary and active, and P to be secondary and standby. Then you will be in synch and won't see that error (if you make changes on F only, and when it is the primary active PIX).

Steve

Re: Pix 6.2 (failover to primary)

vikrantarora — Mon, 24 Feb 2003 16:42:44 GMT

Steve,

Lets start from the beginning, as i think there is some confusion in the terminology or understanding at my part:

Telnet 192.xxx.xxx.190 i.e labelled 'Primary' and is active at the moment:

Pix-Admin1(config)# sh fail

Failover On

Cable status: Normal

Reconnect timeout 0:00:00

Poll frequency 15 seconds

This host: Primary - Active

Active time: 237690 (sec)

Interface statefailover (3.3.3.1): Normal

Other host: Secondary - Standby

Active time: 0 (sec)

Interface statefailover (3.3.3.2): Normal

*******************************************

Telnet 192.xxx.xxx.180 i.e labelled 'Failover' and is not active at the

moment:

Pix-Admin1(config)# sh fail

Failover On

Cable status: Normal

Reconnect timeout 0:00:00

Poll frequency 15 seconds

This host: Secondary - Standby

Active time: 0 (sec)

Interface statefailover (3.3.3.2): Normal

Other host: Primary - Active

Active time: 237840 (sec)

Interface statefailover (3.3.3.1): Normal

**********************************

Chnaging any config'n or doing 'config t' on 192.xxx.xxx.180 gives the following error:

Pix-Admin1(config)# config t

**** WARNING ***

Configuration Replication is NOT performed from Standby unit to Active u

nit.

Configurations are no longer synchronized.

Both consoles hang now!!

*******************************

I telnet again, do a 'no failover active' at 192.xxx.xxx.190. Window closes after some time on its own.

*****************************

I telnet again into 192.xxx.xxx.190 and do 'sh fail' and get:

Pix-Admin1# sh fail

Failover On

Cable status: Normal

Reconnect timeout 0:00:00

Poll frequency 15 seconds

This host: Secondary - Active

Active time: 180 (sec)

Interface statefailover (3.3.3.1): Normal

Other host: Primary - Standby

Active time: 238050 (sec)

Interface statefailover (3.3.3.2): Normal

*********************************

I telnet into 192.xxx.xxx.180 and do 'sh fail' and get:

Pix-Admin1# sh fail

Failover On

Cable status: Normal

Reconnect timeout 0:00:00

Poll frequency 15 seconds

This host: Primary - Standby

Active time: 238050 (sec)

Interface statefailover (3.3.3.2): Normal

Other host: Secondary - Active

Active time: 285 (sec)

Interface statefailover (3.3.3.1): Normal

****************************

But still, Chnaging any config'n or doing 'config t' on 192.xxx.xxx.180 gives the following error:

Pix-Admin1# config t

**** WARNING ***

Configuration Replication is NOT performed from Standby unit to Active u

nit.

Configurations are no longer synchronized.

***************************

DOUBTS!

From my observation, 'THIS HOST' and 'OTHER HOST' chnage from primary to secondary and vice verca. So, we should not label one of the firewalls as 'Primary' and How do I make sure that primary is failover and active?

Secondly, how do I rmeove the Warning I keep geeting on 192.xxx.xxx.180?

Why do we give no failover active on priamry and failover active active on

standby only? I my case I can not give any command on 192.xxx.xxx.180?

Appreciate your help and patience!

Re: Pix 6.2 (failover to primary)

kagodfrey — Mon, 24 Feb 2003 18:34:08 GMT

There seems to be some confusion with primary, secondary, active and standby. In your scenario, it is which ever pix is 'active' that will always have the .190 address, whether it is the primary or secondary, and similarly, the 'standby' pix will always take the .180 address. It is the 'active' pix you need to configure, not the 'standby', as the standby unit will not replicate changes to the active unit, and this is the error you are seeing. You need to telnet to the 190 address in order to configure the pair.

Hope that helps

Re: Pix 6.2 (failover to primary)

vikrantarora — Tue, 25 Feb 2003 18:50:23 GMT

Thank you very much for sharing that information.

Please dont reply if i am right in saying that i can , under no circumstances , configure the .180 pix directly. it has to pick up configuration from primary which i can force by " wr standby" command on the .190 pix

Thanks!

vikrant