Configuring Failover in PIX 7.21 - horror case !!

wingchingleung · ‎09-14-2006

I ran into a horror case yesterday when I was trying to setup failover with my PIX 515E (with 7.21 code). Details is as follows:

Existing PIX 515E (the only active one)

interface Ethernet5

description LAN/STATE Failover Interface

speed 100

duplex full

No failover

failover lan unit primary

failover lan interface failover Ethernet5

failover lan enable

failover link failover Ethernet5

failover interface ip failover 172.16.31.9 255.255.255.252 standby 172.16.31.10

Whereas for the secondary unit that will be added, the failover config is as follows:

interface Ethernet5

description LAN/STATE Failover Interface

speed 100

duplex full

failover

failover lan unit secondary

failover lan interface failover Ethernet5

failover lan enable

failover link failover Ethernet5

failover interface ip failover 172.16.31.9 255.255.255.252 standby 172.16.31.10

(Note : this secondary unit has no other config in besides having turned on E5 and the failover config portion. It has nothing else in the config)

So yesterday I mounted the secondary unit in the same rack and powered it on. Then I connected a crossover cable between the primary and secondary unit. Upon cable connection I consoled onto the primary unit and put in command "failover". Immediately I saw the message that "sychronization begins...mate detected..etc" So I thought this is just like any other failover setup I have done for 7.0...

Soon after I saw the message "End of sychronization" the people in the office starts knocking on the closet door and yelled at me as they had all lost the internet and VPN connection. I looked at my console (still connecting to the primary active unit) and realized that the primary active config in the PIX has been completely wiped out (just like the secondary PIX). I was glad I had a backed up config saved before the change and was able to restore in no time.

Can anyone shed the light on this subject? Does the sequence to which you enable the "failover" command that critical in the failover setup (as in my case I enabled failover in the primary unit after the secondary unit) ?

Thanks.

srue · ‎09-14-2006

i've setup failover on 2 x 515e's recently w/ 7.2(1) code also, but not lan failover. we use the failover cables. I always set the config up on the primary pix, including issuing the failover command on it first.. then , i plug in the second one (again, via failover cable) and issue the failover command on the secondary pix last. this has no issues....i've never done lan failover though....so i'mnot sure how much this applies.

JOSH GANT · ‎09-14-2006

I can shed a little light on this: The 7.2.X code is terribly unstable! We have been having the best luck with 7.2.1.9 interim release but even that one is very sensitive. Stay away from the "Packet Trace" feature in ASDM 5.2.1 if you are running 7.2.1.9. I believe we have had problems with RIP as well. TAC also suggested to turn off inspections for HTTP and SMTP in 7.2 code because of bugs. We have been having customer ASA's dropping left and right the past few months. Great fun.

It seems that 7.0 and 7.1 software have been more stable than 7.2 but there are many bug fixes in 7.2 especially for WebVPN features. You pretty have to upgrade to 7.2 and cross your fingers.

sebastan_bach · ‎09-14-2006

hi can u pls tell when is cisco officially releasing the new code. i mean the interim code u mentioned does it have any new features or it;sjust bug fixes again for 7.2.1. i hope to see a release from cisco very soon wherein it will support vpns and routing protocol working in security context. cause without vpns configuring the context makes the box more dumb. it can just do the same old natting for which the pix is famous for. another dumb thing i hate abt the pix is that for active/active failover we are forced to use security context and using context disables vpns. i guess active/active failover should be supported without context just other firewalls do example ntscreen.

regards

sebastan

wingchingleung · ‎09-14-2006

Today I actually went for another try on the failover and now that I realized the order to which PIX you are putting or enabling the "failover" command is absolutely critical. This time around I put failover command on the primary active first and then proceed to enable "failover" on the secondary and it works.