Re: PIX 525 Interface stops responding

dro · ‎11-18-2004

Hi,

I have two 525's configured in FO. A few months ago I ran into a problem with 6.3.3-133 where both of my PIX's would stop responding on the Inside (embedded) interface and the secondary would flip and take control. After an upgrade to 6.3.4 the problem went away... until now.

Last night (after 69 days of running on 6.3.4) the same problem happened again. The interface stopped responding and the secondary unit took control. Even after the secondary takes over, the ex-primary still can't use the Inside interface.

I didn't notice anything odd with the device, there wasn't any obnormal amount traffic going through either. I did notice, however, that the packet counters in the interface were in the 300 range for sent and received. I'm not sure if the problem was related to the counter wrapping back to 0, or if it was just a coincidence.

Since the time of the original incident, I've replaced the switch (currently using a C2950-48T). A show interface shows no errors on either the PIX or the switch side of the connection on either the primary or secondary units.

The only other thing of note is that I had been running 6.3.3-133 for around 3 months prior to the interfaces locking up on it as well.

These logs were recorded via syslog, but really don't help:

Nov 17 16:23:00 %PIX-1-105005: (Primary) Lost Failover communications with mate on interface 1

Nov 17 16:23:00 %PIX-1-105008: (Primary) Testing Interface 1

Nov 17 16:23:17 %PIX-1-104001: (Secondary) Switching to ACTIVE - fail reported by mate.

Nov 17 16:23:17 %PIX-1-105003: (Secondary) Monitoring on interface 3 waiting

Nov 17 16:23:17 %PIX-1-105003: (Secondary) Monitoring on interface 2 waiting

Nov 17 16:23:17 %PIX-1-105003: (Secondary) Monitoring on interface 1 waiting

Nov 17 16:23:17 %PIX-1-105003: (Secondary) Monitoring on interface 0 waiting

Nov 17 16:23:17 %PIX-1-103005: (Secondary) Other firewall reporting failure.

Any ideas or suggestions?

Thanks,

-Joshua

sachinraja · ‎11-20-2004

hello Joshua,

how frequent does this happen ?? can you remove the failover and try working with a single pix and see if this happens ?? you say that from the LAN, the inside interface is not reachable.. what is the status on the PIX from console ? interface status still shows up/up ??

do let us know.....

dro · ‎11-21-2004

It doesn't appear to be too frequently. I had been running 6.3.3-133 for almost three months, and then both PIXs would lock up with their inside interface for every other day for a week. An upgrade to 6.3.4 fixed that problem (or so I thought..).

After running 6.3.4 for 3 months (69 days) it happened again. So it isn't very frequent, but the problem isn't very friendly. This past time it only happened once (so far).

Unfortunately, I have to leave my PIX's in failover so I can't test it out in a single install.

When I logged into the console to check, the interface showed up/up on both the PIX and the switch. I tried shutting down the interface on both sides, but it still wouldn't respond. The only way I found to get it back online was a reboot.

-Joshua

lee.reade · ‎12-22-2004

Hi,

I seem to be having this issue, or very similiar, aswell.

The primary fails over to the secondary for no real reason.

I am using serial cable failover and gigabit eth for state failover (sx-sx between the two devices).

Did you manage to get any further with this??

I am running os 6.3.4

Let me know if you could.

Cheers

LR

dro · ‎12-22-2004

Nope, nothing new to report. I'm waiting for the uptime to get back to around 90 days and see what happens again.

-Joshua

dro · ‎03-11-2005

Same problem. Same symptoms. Just happened again 25 minutes ago.