Cisco Pix 515 failover how to know the cause of the fail

sistemas100 · ‎09-10-2012

Hello All,

We have 2 units 515 in failover configuration.

From the last Thursday we are having problems in our pixs.

The primary unit fail and then the standby works.

We need to know what is the real cause of the problem.

We have configured logging and when we check the syslog messages we can´t find anything important.

Our version is 6.3(5).

Can anybody help us?

If you need more information, please tell me.

Thanks in advance.

Martin.

gurpsin2 · ‎09-10-2012

Hi Martin,

Can you paste the outputs of "show failover" and "show failover history" from both units?

Regards

Gurpreet

sistemas100 · ‎09-11-2012

Hello Gurpreet,

Here it is the sh failover but my pix does´nt work with sh failover history.

Today morning we have the same problem and I have seen an excessive cpu usage.

What we can check?

Thanks.

Martin

FWPERIMETRO# sh failover

Failover On

Cable status: Normal

Reconnect timeout 0:00:00

Poll frequency 15 seconds

Last Failover at: 07:24:14 GMT+1 Tue Sep 11 2012

This host: Secondary - Standby (Failed)

Active time: 2190 (sec)

Interface inside (172.17.4.33): Normal

Interface internet (195.55.225.101): Normal

Interface failover (192.168.254.254): Link Down (Waiting)

Interface dmz-2 (dmz-2-pix-sec): Normal

Interface wandas (10.132.0.17): Normal

Interface dmz (172.23.4.254): Normal

Other host: Primary - Active

Active time: 72000 (sec)

Interface inside (172.17.4.122): Normal

Interface internet (195.55.225.98): Normal

Interface failover (192.168.254.253): Link Down (Waiting)

Interface dmz-2 (195.76.142.185): Normal

Interface wandas (10.132.0.18): Normal

Interface dmz (172.23.4.2): Normal

Stateful Failover Logical Update Statistics

Link : internet

Stateful Obj xmit xerr rcv rerr

General 10121 0 1480322 0

sys cmd 9561 0 9793 0

up time 0 0 2 0

xlate 3 0 263 0

tcp conn 557 0 1470264 0

udp conn 0 0 0 0

ARP tbl 0 0 0 0

RIP Tbl 0 0 0 0

Logical Update Queue Information

Cur Max Total

Recv Q: 0 1 337236

Xmit Q: 0 1 9679

gurpsin2 · ‎09-11-2012

Hello Martin,

Since you are running 6.3.5, "show fail his" will not work on PIX/ASA due to older version. Anyways, from the show failover output, it seems the failover link itself is down, which needs to be worked upon.

Are you able to ping 192.168.254.254 from active or 192.168.254.253 from standby, I am assuming failover link is directly connected between both units, then can you check if cable is connected correctly, is yes, then I would need output of "show interface".

NOw, since failover link is down, the configuration from active cannot be replicated to the stanbdy unit since it is in failed state, so failover will not work untill failover link is up again.

Did you also see high cpu on Primary active unit?What was the cpu usage and did it cause failover?If yes, then at what time was the above failover outputs collected, i mean before the issue or after the issue?

Regards

Gurpreet

sistemas100 · ‎09-11-2012

Hello Gurpreet,

Our failover system is working only with the failover cable, not with netwaork cable.

High CPU is occuring in primary unit. The high cpu usage was after the issue.

One thing, disconnecting for a seconds the cable for interfece "inside" (this cable connects th firewall to our network) the failover runs again ok. We can´t understand it.

Here is the sh interface

Thanks again.

Martin

FWPERIMETRO(config)# sh interface

interface ethernet0 "inside" is up, line protocol is up

Hardware is i82559 ethernet, address is 000b.bef7.56c5

IP address 172.17.4.122, subnet mask 255.255.252.0

MTU 1500 bytes, BW 100000 Kbit full duplex

165844 packets input, 2811391461 bytes, 0 no buffer

Received 947714 broadcasts, 0 runts, 0 giants

1294 input errors, 0 CRC, 0 frame, 1294 overrun, 0 ignored, 0 abort

165698 packets output, 4122450665 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/128) software (128/128)

output queue (curr/max blocks): hardware (128/128) software (971/1189)

interface ethernet1 "internet" is up, line protocol is up

Hardware is i82559 ethernet, address is 000b.bef7.56c6

IP address 195.55.225.98, subnet mask 255.255.255.240

MTU 1500 bytes, BW 100000 Kbit full duplex

20253 packets input, 6232273 bytes, 0 no buffer

Received 1830 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

22281 packets output, 2876208926 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

<--- More --->

input queue (curr/max blocks): hardware (128/128) software (8/128)

output queue (curr/max blocks): hardware (2/115) software (0/1)

interface ethernet2 "failover" is up, line protocol is down

Hardware is i82558 ethernet, address is 00e0.b606.92d7

IP address 192.168.254.253, subnet mask 255.255.255.252

MTU 1500 bytes, BW 10000 Kbit half duplex

0 packets input, 0 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

31 packets output, 320148 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

31 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/128) software (0/0)

output queue (curr/max blocks): hardware (0/10) software (0/1)

interface ethernet3 "dmz-2" is up, line protocol is up

Hardware is i82558 ethernet, address is 00e0.b606.92d6

IP address 195.76.142.185, subnet mask 255.255.255.248

MTU 1500 bytes, BW 100000 Kbit full duplex

1179 packets input, 2703322420 bytes, 0 no buffer

Received 2074 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

720 packets output, 4209917559 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

<--- More --->

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/128) software (1/101)

output queue (curr/max blocks): hardware (0/42) software (0/1)

interface ethernet4 "wandas" is up, line protocol is up

Hardware is i82558 ethernet, address is 00e0.b606.92d5

IP address 10.132.0.18, subnet mask 255.255.255.0

MTU 1500 bytes, BW 100000 Kbit full duplex

164402 packets input, 1499053954 bytes, 0 no buffer

Received 411 broadcasts, 0 runts, 0 giants

267 input errors, 0 CRC, 0 frame, 267 overrun, 0 ignored, 0 abort

159201 packets output, 1116228713 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/128) software (128/128)

output queue (curr/max blocks): hardware (0/128) software (0/49)

interface ethernet5 "dmz" is up, line protocol is up

Hardware is i82558 ethernet, address is 00e0.b606.92d4

IP address 172.23.4.2, subnet mask 255.255.255.0

MTU 1500 bytes, BW 100000 Kbit full duplex

16067 packets input, 942162666 bytes, 0 no buffer

Received 2108 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

<--- More --->

13916 packets output, 494350387 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/128) software (6/79)

output queue (curr/max blocks): hardware (0/65) software (0/1)