Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1162
Views
0
Helpful
6
Replies

Pix 6.2 (failover to primary)

Go to solution
vikrantarora
Level 1
Level 1

‎02-21-2003 09:17 AM - edited ‎02-20-2020 10:34 PM

I recently joined a company where PIX firewall is installed. but the active link on failover is red , i want to make the primary pix as active. how do i do it?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
kagodfrey
Level 3
Level 3
In response to vikrantarora

‎02-24-2003 10:34 AM

There seems to be some confusion with primary, secondary, active and standby. In your scenario, it is which ever pix is 'active' that will always have the .190 address, whether it is the primary or secondary, and similarly, the 'standby' pix will always take the .180 address. It is the 'active' pix you need to configure, not the 'standby', as the standby unit will not replicate changes to the active unit, and this is the error you are seeing. You need to telnet to the 190 address in order to configure the pair.

Hope that helps

View solution in original post

0 Helpful
6 Replies 6

Go to solution
steve.barlow
Level 7
Level 7

‎02-21-2003 10:14 AM

Use the 'failover active' command to initiate a failover switch from the standby unit (or the 'no failover active' command from the active unit to initiate a failover switch). You can use this feature to return a failed unit to service, or to force an active unit off line for maintenance. Because the standby unit does not keep state information on each connection, all active connections will be dropped and must be re-established by the clients.

Verify with 'show failover' to make sure who is active.

Hope it helps.

Steve

0 Helpful

Go to solution
vikrantarora
Level 1
Level 1
In response to steve.barlow

‎02-21-2003 12:33 PM

steve,

thanks for the command. but I have another problem. I have 2 pix firewalls, let's say 'F' and 'P'.

The ip address of F is f.f.f.f and the ip address of P is p.p.p.p.

When I telnet into F and do config t , I get the following message:

Pix-Admin1# config t

**** WARNING ***

Configuration Replication is NOT performed from Standby unit to Active u

nit.

Configurations are no longer synchronized.

.

When I telnet into P and do show failover I get

Pix-Admin1(config)# sh fail

Failover On

Cable status: Normal

Reconnect timeout 0:00:00

Poll frequency 15 seconds

This host: Secondary - Active

Active time: 375 (sec)

Interface statefailover (3.3.3.1): Normal

Interface none2 (2.2.2.2): Link Down (Shutdo

Interface statefailover:5 (1.1.1.1): Link Do

Other host: Primary - Standby

Active time: 960 (sec)

Interface statefailover (3.3.3.2): Normal

Interface none2 (0.0.0.0): Link Down (Shutdo

Interface statefailover:5 (0.0.0.0): Link Do

I did " no failover active" and made the primary active. but I cant do config t on F. why so? and how do I synchronize the 2 firewalls and get rid of the warning.

0 Helpful

Go to solution
steve.barlow
Level 7
Level 7
In response to vikrantarora

‎02-24-2003 06:13 AM

F is your standby and P is your active. You shouldn't enter config changes on your standy, only your active. But your F is designated as your primary, so if you want to make it the active PIX again either enter the 'no failover active' command on the secondary unit (to switch service to the primary) or the 'failover active' command on the primary unit. Ideally you want F to be primary and active, and P to be secondary and standby. Then you will be in synch and won't see that error (if you make changes on F only, and when it is the primary active PIX).

Steve

0 Helpful

Go to solution
vikrantarora
Level 1
Level 1
In response to steve.barlow

‎02-24-2003 08:42 AM

Steve,

Lets start from the beginning, as i think there is some confusion in the terminology or understanding at my part:

Telnet 192.xxx.xxx.190 i.e labelled 'Primary' and is active at the moment:

Pix-Admin1(config)# sh fail

Failover On

Cable status: Normal

Reconnect timeout 0:00:00

Poll frequency 15 seconds

This host: Primary - Active

Active time: 237690 (sec)

Interface statefailover (3.3.3.1): Normal

Other host: Secondary - Standby

Active time: 0 (sec)

Interface statefailover (3.3.3.2): Normal

*******************************************

Telnet 192.xxx.xxx.180 i.e labelled 'Failover' and is not active at the

moment:

Pix-Admin1(config)# sh fail

Failover On

Cable status: Normal

Reconnect timeout 0:00:00

Poll frequency 15 seconds

This host: Secondary - Standby

Active time: 0 (sec)

Interface statefailover (3.3.3.2): Normal

Other host: Primary - Active

Active time: 237840 (sec)

Interface statefailover (3.3.3.1): Normal

**********************************

Chnaging any config'n or doing 'config t' on 192.xxx.xxx.180 gives the following error:

Pix-Admin1(config)# config t

**** WARNING ***

Configuration Replication is NOT performed from Standby unit to Active u

nit.

Configurations are no longer synchronized.

Both consoles hang now!!

*******************************

I telnet again, do a 'no failover active' at 192.xxx.xxx.190. Window closes after some time on its own.

*****************************

I telnet again into 192.xxx.xxx.190 and do 'sh fail' and get:

Pix-Admin1# sh fail

Failover On

Cable status: Normal

Reconnect timeout 0:00:00

Poll frequency 15 seconds

This host: Secondary - Active

Active time: 180 (sec)

Interface statefailover (3.3.3.1): Normal

Other host: Primary - Standby

Active time: 238050 (sec)

Interface statefailover (3.3.3.2): Normal

*********************************

I telnet into 192.xxx.xxx.180 and do 'sh fail' and get:

Pix-Admin1# sh fail

Failover On

Cable status: Normal

Reconnect timeout 0:00:00

Poll frequency 15 seconds

This host: Primary - Standby

Active time: 238050 (sec)

Interface statefailover (3.3.3.2): Normal

Other host: Secondary - Active

Active time: 285 (sec)

Interface statefailover (3.3.3.1): Normal

****************************

But still, Chnaging any config'n or doing 'config t' on 192.xxx.xxx.180 gives the following error:

Pix-Admin1# config t

**** WARNING ***

Configuration Replication is NOT performed from Standby unit to Active u

nit.

Configurations are no longer synchronized.

***************************

DOUBTS!

From my observation, 'THIS HOST' and 'OTHER HOST' chnage from primary to secondary and vice verca. So, we should not label one of the firewalls as 'Primary' and How do I make sure that primary is failover and active?

Secondly, how do I rmeove the Warning I keep geeting on 192.xxx.xxx.180?

Why do we give no failover active on priamry and failover active active on

standby only? I my case I can not give any command on 192.xxx.xxx.180?

Appreciate your help and patience!

0 Helpful

Go to solution
kagodfrey
Level 3
Level 3
In response to vikrantarora

‎02-24-2003 10:34 AM

There seems to be some confusion with primary, secondary, active and standby. In your scenario, it is which ever pix is 'active' that will always have the .190 address, whether it is the primary or secondary, and similarly, the 'standby' pix will always take the .180 address. It is the 'active' pix you need to configure, not the 'standby', as the standby unit will not replicate changes to the active unit, and this is the error you are seeing. You need to telnet to the 190 address in order to configure the pair.

Hope that helps

0 Helpful

Go to solution
vikrantarora
Level 1
Level 1
In response to kagodfrey

‎02-25-2003 10:50 AM

Thank you very much for sharing that information.

Please dont reply if i am right in saying that i can , under no circumstances , configure the .180 pix directly. it has to pick up configuration from primary which i can force by " wr standby" command on the .190 pix

Thanks!

vikrant

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card