PIX 7.0 Failover Question/Problem

joemarr_brodart · ‎06-19-2005

Hi Folks,

I have 2 questions, one of them may be more of a problem then a question.

Question 1.

Should I be able to telnet secondary/standby unit via its assigned IP? My active unit is x.x.x.2 and the standby is x.x.x.3. I cant ping or telnet x.x.x.3.

Question 2.

With a Active/Standby Cable-based w/ Stateful LAN, what is the expected time frame for failover to complete. When I manually failover the active to the standby it take between 45 to 60 seconds. I also noticed the adjacent routers show it looses OSPF neighbor status with the firewall during this time. Ill add the failover portions of my config.

Thanks,

Joe

interface Ethernet0

speed 100

duplex full

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.240 standby x.x.x.x

!

interface Ethernet1

speed 100

duplex full

nameif inside

security-level 100

ip address 192.168.10.1 255.255.255.0 standby 192.168.10.3

!

interface Ethernet2

speed 100

duplex full

no nameif

no security-level

no ip address

!

interface Ethernet2.56

vlan 56

nameif dmz

security-level 50

ip address 10.101.0.1 255.255.255.0 standby 10.101.0.11

!

interface Ethernet3

description STATE Failover Interface

!

failover

failover polltime unit 1 holdtime 3

failover key *****

failover replication http

failover link state Ethernet3

failover interface ip state 10.50.1.33 255.255.255.252 standby 10.50.1.34

monitor-interface outside

monitor-interface inside

monitor-interface dmz

lenny.lim · ‎06-20-2005

HI,

For your first question, yes you should be able to ping and also to telnet to the secondary firewall. I have not test whether it will function like the primary if i actually redirect some of my traffic to it though....

For your second question, yes it does take quite a resonable amound of time to failover. In my opinion, other brands of firewalls does this better. ;)... and for the OSPF, that is something i really hope Cisco will indeed fix as i'm having the same problem. You can see why the OSPF has to rebuild it's neighborship by doing a "show failove". From there you will see what state or table is replicated/sync over to the failover unit. As you can see, there isn't any on OSPF neighbor state or OSPF database thus everything has to be rebuild from scratch.

hope that helps..

joemarr_brodart · ‎06-20-2005

Thanks for the reply. I dont thing it will handle traffic, while its in standby but I had thought I should have been able to telnet or ping it. Any thoughts on where to begin troubleshooting such an issue? Im also wondering now if maybe its related to the OSPF issue.

lenny.lim · ‎06-20-2005

Perhaps you should verify if the command "telnet 0 0 inside" is there and ping from a directly connected interface to the pix. If you still cannot, how about switching failover and test again.....

mschomburg · ‎06-20-2005

I hope it is not too late to jump in to this thread. I've got a 515E failover pair running 6.3(1), and the failover is very quick - most users don't even notice. I just received my RAM upgrade today and am planning to upgrade to software version 7 this weekend. Are you saying that the failover time increases significantly? That would not be progress. Thanks!

joemarr_brodart · ‎06-20-2005

I belive you should be ok.

This failover install was a brand new PIX deployment, so I dont things 7.0 was the cause. I bet it would have done the same thing on 6.3. I belive its an issue with the route table thats causing the issue.

lenny.lim · ‎06-21-2005

HI,

The ver7.0 has some improvement in terms of failover. Especially on the power failure of the primary unit. When talking about failover, i recommend 7.0. It also now supports IPsec failover.

I got my unit with 6.3.4 and have upgraded it to 7.0. i've also just tested the failover with traffic passing through multiple subinterfaces (vlans) and the sessions stays. Though when i first configured i had a problem with both the unit as stands idle in the sync state. But after a cold reboot for both unit, seems to work fine.

joemarr_brodart · ‎06-20-2005

I can telnet and ping from any directly connected device which leads me to believe its the lack of a routing table thats the problem. I rely on OSPF for my default also.

lenny.lim · ‎06-21-2005

is your your telnet command configured correctly or your access-list perhaps ?

or like what you say, it's a routing problem. so does your return traffic know where to go ?

joemarr_brodart · ‎06-21-2005

I added a low metric default as well as a route to my internals and I can now ping and telnet.