cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
1152
Views
0
Helpful
4
Replies

Cisco Pix 515 failover how to know the cause of the fail

sistemas100
Level 1
Level 1

Hello All,

We have 2 units 515 in failover configuration.

From the last Thursday we are having problems in our pixs.

The primary unit fail and then the standby works.

We need to know what is the real cause of the problem.

We have configured logging and when we check the syslog messages we canĀ“t find anything important.

Our version is 6.3(5).

Can anybody help us?

If you need more information, please tell me.

Thanks in advance.

Martin.                  

4 Replies 4

gurpsin2
Level 1
Level 1

Hi Martin,

Can you paste the outputs of "show failover" and "show failover history" from both units?

Regards

Gurpreet

Hello Gurpreet,

Here it is the sh failover but my pix doesĀ“nt work with sh failover history.

Today morning we have the same problem and I have seen an excessive cpu usage.

What we can check?

Thanks.

Martin

FWPERIMETRO# sh failover

Failover On

Cable status: Normal

Reconnect timeout 0:00:00

Poll frequency 15 seconds

Last Failover at: 07:24:14 GMT+1 Tue Sep 11 2012

       This host: Secondary - Standby (Failed)

               Active time: 2190 (sec)

               Interface inside (172.17.4.33): Normal

               Interface internet (195.55.225.101): Normal

               Interface failover (192.168.254.254): Link Down (Waiting)

               Interface dmz-2 (dmz-2-pix-sec): Normal

                Interface wandas (10.132.0.17): Normal

               Interface dmz (172.23.4.254): Normal

       Other host: Primary - Active

               Active time: 72000 (sec)

               Interface inside (172.17.4.122): Normal

               Interface internet (195.55.225.98): Normal

               Interface failover (192.168.254.253): Link Down (Waiting)

               Interface dmz-2 (195.76.142.185): Normal

               Interface wandas (10.132.0.18): Normal

               Interface dmz (172.23.4.2): Normal

Stateful Failover Logical Update Statistics

       Link : internet

       Stateful Obj   xmit       xerr       rcv       rerr

       General         10121     0         1480322   0

       sys cmd         9561       0         9793      0

       up time         0         0         2         0

       xlate           3         0         263       0

       tcp conn       557       0         1470264   0

       udp conn       0         0         0         0

       ARP tbl         0         0         0         0

       RIP Tbl         0         0         0         0

       Logical Update Queue Information

                       Cur     Max     Total

       Recv Q:         0       1       337236

        Xmit Q:         0       1       9679

Hello Martin,

Since you are running 6.3.5, "show fail his" will not work on PIX/ASA due to older version. Anyways, from the show failover output, it seems the failover link itself is down, which needs to be worked upon.

Are you able to ping 192.168.254.254 from active or 192.168.254.253 from standby, I am assuming failover link is directly connected between both units, then can you check if cable is connected correctly, is yes, then I would need output of "show interface".

NOw, since failover link is down, the configuration from active cannot be replicated to the stanbdy unit since it is in failed state, so failover will not work untill failover link is up again.

Did you also see high cpu on Primary active unit?What was the cpu usage and did it cause failover?If yes, then at what time was the above failover outputs collected, i mean before the issue or after the issue?

Regards

Gurpreet

Hello Gurpreet,

Our failover system is working only with the failover cable, not with netwaork cable.

High CPU is occuring in primary unit. The high cpu usage was after the issue.

One thing, disconnecting for a seconds the cable for interfece "inside" (this cable connects th firewall to our network) the failover runs again ok. We canĀ“t understand it.

Here is the sh interface

Thanks again.

Martin

FWPERIMETRO(config)# sh interface

interface ethernet0 "inside" is up, line protocol is up

  Hardware is i82559 ethernet, address is 000b.bef7.56c5

  IP address 172.17.4.122, subnet mask 255.255.252.0

  MTU 1500 bytes, BW 100000 Kbit full duplex

165844 packets input, 2811391461 bytes, 0 no buffer

Received 947714 broadcasts, 0 runts, 0 giants

1294 input errors, 0 CRC, 0 frame, 1294 overrun, 0 ignored, 0 abort

165698 packets output, 4122450665 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/128) software (128/128)

output queue (curr/max blocks): hardware (128/128) software (971/1189)

interface ethernet1 "internet" is up, line protocol is up

  Hardware is i82559 ethernet, address is 000b.bef7.56c6

  IP address 195.55.225.98, subnet mask 255.255.255.240

  MTU 1500 bytes, BW 100000 Kbit full duplex

20253 packets input, 6232273 bytes, 0 no buffer

Received 1830 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

22281 packets output, 2876208926 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

<--- More --->
             
input queue (curr/max blocks): hardware (128/128) software (8/128)

output queue (curr/max blocks): hardware (2/115) software (0/1)

interface ethernet2 "failover" is up, line protocol is down

  Hardware is i82558 ethernet, address is 00e0.b606.92d7

  IP address 192.168.254.253, subnet mask 255.255.255.252

  MTU 1500 bytes, BW 10000 Kbit half duplex

0 packets input, 0 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

31 packets output, 320148 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

31 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/128) software (0/0)

output queue (curr/max blocks): hardware (0/10) software (0/1)

interface ethernet3 "dmz-2" is up, line protocol is up

  Hardware is i82558 ethernet, address is 00e0.b606.92d6

  IP address 195.76.142.185, subnet mask 255.255.255.248

  MTU 1500 bytes, BW 100000 Kbit full duplex

1179 packets input, 2703322420 bytes, 0 no buffer

Received 2074 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

720 packets output, 4209917559 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

<--- More --->
             
0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/128) software (1/101)

output queue (curr/max blocks): hardware (0/42) software (0/1)

interface ethernet4 "wandas" is up, line protocol is up

  Hardware is i82558 ethernet, address is 00e0.b606.92d5

  IP address 10.132.0.18, subnet mask 255.255.255.0

  MTU 1500 bytes, BW 100000 Kbit full duplex

164402 packets input, 1499053954 bytes, 0 no buffer

Received 411 broadcasts, 0 runts, 0 giants

267 input errors, 0 CRC, 0 frame, 267 overrun, 0 ignored, 0 abort

159201 packets output, 1116228713 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/128) software (128/128)

output queue (curr/max blocks): hardware (0/128) software (0/49)

interface ethernet5 "dmz" is up, line protocol is up

  Hardware is i82558 ethernet, address is 00e0.b606.92d4

  IP address 172.23.4.2, subnet mask 255.255.255.0

  MTU 1500 bytes, BW 100000 Kbit full duplex

16067 packets input, 942162666 bytes, 0 no buffer

Received 2108 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

<--- More --->
             
13916 packets output, 494350387 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/128) software (6/79)

output queue (curr/max blocks): hardware (0/65) software (0/1)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: