Re: ciscopix-wrong time in failover

secureIT · ‎10-06-2010

Hi Team,

im having PIX-525 with 707 version and after we do a failover, my secondary firewall which is active now shows a wrong time..im getting the correct failover time in my Primary.

Can anyone suggest me what could be the problem..

show failover#

Failover unit Secondary

Version: Ours 7.0(7), Mate 7.0(7)
Last Failover at: 05:30:44 IST Jan 1 1993
This host: Secondary - Active
Active time: 300075 (sec)

show version#

firewall up 3 days 11 hours
failover cluster up 3 days 11 hours

show clock#

16:04:22.508 IST Wed Oct 6 2010

secureIT · ‎10-06-2010

Hi Cisco Folks,

Can some one please help me...

Jennifer Halim · ‎10-07-2010

The "Last Failover" date will only show when the secondary fails back to the Primary.

The Primary firewall is showing the correct failover time because it failed over to the secondary.

Only when the unit fails over from Active to standby, it will update the "Last Failover" time.

Hope that makes sense.

secureIT · ‎10-07-2010

Hi,

I have another set of firewalls, where the secondary is active and last failover time is showing correctly,, lets say on 2009.

Where as this firewall shows that the last failover happend only on 1993, which i can not accept it. Can not believe that the firewall was not failed over for the last 17yrs...could you pls think in that way...

Jennifer Halim · ‎10-07-2010

Well, the firewall itself has only been up for 3 days and 11 hours as per the show version output provided:

show version#

firewall up 3 days 11 hours
failover cluster up 3 days 11 hours

So unfortunately, the failover cluster itself hasn't been up for a long time. The 1993 date is the default, and does not reflect an actual failover that has happend.

secureIT · ‎10-07-2010

Well, thats the good information..

will check and update you sir..

secureIT · ‎10-07-2010

Hi jennifer,

I strongly agree with this point. One last query i have is, could you please share me the cisco document for the same..would be great help

Jennifer Halim · ‎10-08-2010

Here is the command reference for "show failover" output:

http://www.cisco.com/en/US/docs/security/asa/asa70/command/reference/s.html#wp1507535

Hope that helps.

secureIT · ‎10-08-2010

Hi thanks..

This does not say that the default year would be 1993 in last failover time unless not failedover...

Could you pls check this..

Jennifer Halim · ‎10-08-2010

Well, as advised earlier, the last failover will only change when the firewall goes from Active to Standby/Failed status. You will not see the actual failover time on the last failover time as your secondary firewall did not fail over as it is the active firewall.

Unfortunately there is no documentation that will tell what is the default date listed for "last failover" as people are normally not concern about default last failover time in investigating failover problem. Plus your failover cluster has just been up for 3 days and 11 hours.

Namit Agarwal · ‎10-08-2010

Hi Rajesh,

The year 1993 could be explained in a way that , it is the earliest time that the PIX will accept. So the PIX does not accept dates or times before 1993. That is why the earliest time the failover can show is 1993.

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/c.html

Search for this text in the document "The maximum date range for the clock command is 1993 through 2035. A time prior to January 1, 1993, or after December 31, 2035, will not be accepted".

http://www.cisco.com/en/US/docs/security/asa/asa70/command/reference/c.html

Search this text "clock set"

I hope that helps

Thanks,