01-13-2010 12:32 PM
I am trying to figure out how failover works I guess. When the Primary PIX fails over to the secondary PIX does the standby take the IP's and names of the primary unit when it fails over or does it use it's own IP's for the inside/outside interfaces when it fails over?
The secondary host shouldn't say this when on standby right?
Other host: Secondary - Failed
The primary always says "Waiting":
This host: Primary - Active
Active time: 31443135 (sec)
Interface outside (x.x.x.x): Normal (Waiting)
Interface inside (x.x.x.x): Normal (Waiting)
Does that mean waiting to replicate?
01-14-2010 02:32 AM
Yes, when a PIX or ASA firewall standby unit becomes active, it inherits all the IP's of the primary unit.
The standby IP's are always exactly that: standby. When you do a manual failover (with both units available), the IP's basically swap between devices.
The secondary host shouldn't say Failed indeed. This can be caused by monitoring an interface which hasn't been properly configured with a standby address, or obviously some failure of the hardware or power. Can you post the complete output of a show failover command?
Normally, a standby unit should be reported as:
Other host: Secondary - Standby Ready
The primary unit is at this moment indeed waiting to replicate the settings to the standby unit. When it has done this, all the interfaces should report
Interface
01-14-2010 06:04 AM
Failover On
Cable status: N/A - LAN-based failover enabled
Failover unit Primary
Failover LAN Interface: failover Ethernet0 (up)
Unit Poll frequency 15 seconds, holdtime 45 seconds
Interface Poll frequency 15 seconds
Interface Policy 1
Monitored Interfaces 2 of 250 maximum
failover replication http
Version: Ours 7.0(5), Mate 7.0(5)
Last Failover at: 12:01:01 UTC Jan 14 2009
This host: Primary - Active
Active time: 31512165 (sec)
Interface outside (x.x.x.x): Normal (Waiting)
Interface inside (x.x.x.x): Normal (Waiting)
Other host: Secondary - Failed
Active time: 0 (sec)
Interface outside (x.x.x.x): Normal
Interface inside (x.x.x.x): Normal
Stateful Failover Logical Update Statistics
Link : failover Ethernet0 (up)
Stateful Obj xmit xerr rcv rerr
General 555745821 0 2684278 0
sys cmd 2684285 0 2684278 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 354720708 0 0 0
UDP conn 198332191 0 0 0
ARP tbl 8637 0 0 0
Xlate_Timeout 0 0 0 0
VPN IKE upd 0 0 0 0
VPN IPSEC upd 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 2 2684278
Xmit Q: 0 2 576385069
01-14-2010 06:25 AM
The output looks fairly normal, except for the
Other host: Secondary - Failed part.
Are the IP addresses reported by the other host identical to the ones configured in the failover configuration?
If so, can you connect to the secondary (backup) unit using the failover IP addresses reported by that unit?
01-14-2010 07:01 AM
They are different, if I am looking in the right place.
Failover On
Cable status: N/A - LAN-based failover enabled
Failover unit Primary
Failover LAN Interface: failover Ethernet0 (up)
Unit Poll frequency 15 seconds, holdtime 45 seconds
Interface Poll frequency 15 seconds
Interface Policy 1
Monitored Interfaces 2 of 250 maximum
failover replication http
Version: Ours 7.0(5), Mate 7.0(5)
Last Failover at: 12:01:01 UTC Jan 14 2009
This host: Primary - Active
Active time: 31515525 (sec)
Interface outside (x.x.x.x): Normal (Waiting)
Interface inside (x.x.x.x): Normal (Waiting)
Other host: Secondary - Failed
Active time: 0 (sec)
Interface outside (x.x.x.x): Normal
Interface inside (x.x.x.x): Normal
Stateful Failover Logical Update Statistics
Link : failover Ethernet0 (up)
Stateful Obj xmit xerr rcv rerr
General 555745821 0 2684278 0
sys cmd 2684285 0 2684278 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 354720708 0 0 0
UDP conn 198332191 0 0 0
ARP tbl 8637 0 0 0
Xlate_Timeout 0 0 0 0
VPN IKE upd 0 0 0 0
VPN IPSEC upd 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 2 2684278
Xmit Q: 0 2 576385069
Also is it possible to manage the secondary device while it is in standby. Because I can not telnet to this device, only the primary.
01-14-2010 03:30 AM
Hi Daniel,
Yes secondary devices takes the ip address of the primary devices at the time of failover and When the active device fails, it changes to the standby state, while the standby unit changes to the active state.The unit that becomes active takes over the active unit IP addresses and MAC address, and it begins passing traffic. The Pix has one MAC address for all interfaces. The unit that was active and is now in standby state takes over the standby IP addresses and MAC address.
Because network devices see no change in the MAC to IP address pairing, failover is unnoticed by the rest of the network.
Show standby is the command to check the status of the device.
Hope that helps out your query !!
Regards
Ganesh.H
01-14-2010 07:21 AM
I was not entirely clear, I'm sorry.
Those two addresses should be different. You have 2 sets of IP's
A primary and secondary outside (254.1 and 254.5 respectively)
A primary and secondary inside (253.2 and 253.5 respectively)
I was wondering if those are also mentioned in your running configuration as:
interface Ethernetx
description outside
ip address x.x.254.1
and
interface Ethernetx
description inside
ip address x.x.253.2
01-14-2010 08:00 AM
Yes, the running configuration is configured as mentioned. But I can not reach either of the standby addresses with telnet or a ping.
01-14-2010 08:09 AM
"show failover lan detail", since you're using LAN-based failover.
What devices are between the primary and secondary PIXes, if any?
Is the secondary unit reachable from anywhere else on the network, or not at all?
01-14-2010 11:25 AM
That is not a valid command. Here are my options:
show failover ?
history Show failover switching history
interface Show failover command interface information
state Show failover internal state information
statistics Show failover command interface statistics information
It is supposed to be reachable. I may have to go console in or something.
01-14-2010 11:05 PM
Yes, that might be the only solution. Make sure the configuration matches the one from the primary PIX.
01-15-2010 06:33 AM
How can I tell which physical pix of the 2 I am remoted into? It doesn't show the serial when I do "Show Version".
01-15-2010 08:15 AM
Here is some more info:
sh failover state
====My State===
Primary | Active |
====Other State===
Secondary | Standby |
====Configuration State===
Sync Done
====Communication State===
=========Failed Reason==============
My Fail Reason:
Other Fail Reason:
Comm Failure
For some reason the sync is done as indicated, but then why the communication failure. According to my coworker you could never connect to the standby PIX except for console. So that goes back to the point of SNMP management. How would that be possible? Configuring a management port(then I don't think the SNMP "Inside/Outside" commands would work)?
01-15-2010 11:41 AM
Another command to display the serial number on PIX 7.1.x is "show activation-key", but then "show ver" works for me too.
All the PIX/ASA stateful failover pairs I've seen have managable/reachable secondaries. Although the PIXes are using serial-based failover, I doubt LAN-based failover would be any different.
01-15-2010 11:53 AM
This is my version:
Cisco PIX Security Appliance Software Version 7.0(5)
I guess I was looking for the serial number that matches the physical sticker on the device. Show version does show a different serial.
Just sucks I can't connect to the standby.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide