https://community.cisco.com/t5/network-security/pix-sync-connection/m-p/1108345#M894863 <P>Hi,</P><P></P><P>I have a pair of Pix's configured for failover and stateful sync, but i have discovered that the sync is not working, after some investigation it looks like one of the FW's has had its interface assigned to the wrong VLAN.</P><P></P><P>So the fix is to assign the interface into the correct vlan, I wanted to know if there was any potential serivce impact when this happens, ie when the sync gets connected and starts working ?</P><P></P><P>Appreciate any thoughts</P><P></P><P>Thanks</P> Mon, 11 Mar 2019 13:59:32 GMT stuart.jones 2019-03-11T13:59:32Z https://community.cisco.com/t5/network-security/pix-sync-connection/m-p/1108345#M894863 <P>Hi,</P><P></P><P>I have a pair of Pix's configured for failover and stateful sync, but i have discovered that the sync is not working, after some investigation it looks like one of the FW's has had its interface assigned to the wrong VLAN.</P><P></P><P>So the fix is to assign the interface into the correct vlan, I wanted to know if there was any potential serivce impact when this happens, ie when the sync gets connected and starts working ?</P><P></P><P>Appreciate any thoughts</P><P></P><P>Thanks</P> Mon, 11 Mar 2019 13:59:32 GMT https://community.cisco.com/t5/network-security/pix-sync-connection/m-p/1108345#M894863 stuart.jones 2019-03-11T13:59:32Z https://community.cisco.com/t5/network-security/pix-sync-connection/m-p/1108346#M894864 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I suggets you posting the output of 'show failover'to be sure .. however by the sound of it, you should not have any major issues. At the moment the current Active firewall must be forwarding packets and also monitoring the status of the standby firewall's interfaces. Once the status is normal, the failover relation will be completed and the configuration will be 'pushed' from Active to Standby. It is unlikely that traffic flow will be affected.</P><P></P><P>Please rate helpful posts !!!</P><P></P><P></P></BODY></HTML> Mon, 20 Oct 2008 02:07:48 GMT https://community.cisco.com/t5/network-security/pix-sync-connection/m-p/1108346#M894864 Fernando_Meza 2008-10-20T02:07:48Z https://community.cisco.com/t5/network-security/pix-sync-connection/m-p/1108347#M894866 <HTML><HEAD></HEAD><BODY><P>Just make sure you take a backup of the configuration. Sometimes both units think they are active and it can erase the configuration on the desired primary unit. An easy way to make sure this does not happen is to 'ping' the other units failover interface before enabling 'failover' on both sides. And also making sure you have the correct boxes assigned as primary/secondary.</P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Mon, 20 Oct 2008 06:04:30 GMT https://community.cisco.com/t5/network-security/pix-sync-connection/m-p/1108347#M894866 Farrukh Haroon 2008-10-20T06:04:30Z https://community.cisco.com/t5/network-security/pix-sync-connection/m-p/1108348#M894868 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Attached is the output of the 'show failover' from both firewalls.</P><P></P><P>Also was concerned if the IP address configured on the 'spare' interface on one of the units will cuase any issues even though the interface is shutdown ?</P><P></P><P></P><P></P><P> </P><P></P></BODY></HTML> Mon, 20 Oct 2008 18:24:03 GMT https://community.cisco.com/t5/network-security/pix-sync-connection/m-p/1108348#M894868 stuart.jones 2008-10-20T18:24:03Z https://community.cisco.com/t5/network-security/pix-sync-connection/m-p/1108349#M894869 <HTML><HEAD></HEAD><BODY><P>Whichever interfaces you are not using you can disable failover monitoring for it using:</P><P></P><P>no monitor-interface <NAME> command.</NAME></P><P></P><P>Also it seems there is a communication problem on the stateful failover link. Can you ping both ends (active/stanby IPs)?</P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Tue, 21 Oct 2008 02:10:16 GMT https://community.cisco.com/t5/network-security/pix-sync-connection/m-p/1108349#M894869 Farrukh Haroon 2008-10-21T02:10:16Z https://community.cisco.com/t5/network-security/pix-sync-connection/m-p/1108350#M894870 <HTML><HEAD></HEAD><BODY><P>Thanks.</P><P></P><P>It is the stateful link that is th elink which has been assigned to different vlans either end, and is the one i was intending to change to the correct vlan and was wondering if this would cause me the issues.</P><P></P><P>As for the ping, no i cannot ping either stateful interface from either FW.</P><P></P><P>Thanks again</P></BODY></HTML> Tue, 21 Oct 2008 17:28:50 GMT https://community.cisco.com/t5/network-security/pix-sync-connection/m-p/1108350#M894870 stuart.jones 2008-10-21T17:28:50Z https://community.cisco.com/t5/network-security/pix-sync-connection/m-p/1108351#M894871 <HTML><HEAD></HEAD><BODY><P>No this will hopefully cause no issues. Once you set both to the same VLAN the ping should work.</P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Wed, 22 Oct 2008 06:32:36 GMT https://community.cisco.com/t5/network-security/pix-sync-connection/m-p/1108351#M894871 Farrukh Haroon 2008-10-22T06:32:36Z