Re: PIX FAILOVER CANNOT WORK

giuliano · ‎03-12-2003

Hi.

I need some help to undestand correclty how pix lan based failover work.

I configured 2 pix as lan failover with a stateful ethenet device ad using

inside interface for lan failover.

Failover start correclty, and the two pix start to exchange the configurations, this is ok.

But if i shutdown the primary pix, the second does not take control.

This is my situation

System IP Addresses:

ip address outside 192.168.87.131 255.255.255.224

ip address inside 192.168.97.91 255.255.255.0

ip address FAILOVER 192.168.87.241 255.255.255.248

ip address DMZ 192.168.87.161 255.255.255.224

ip address intf4 127.0.0.1 255.255.255.255

ip address intf5 127.0.0.1 255.255.255.255

Current IP Addresses:

ip address outside 192.168.87.135 255.255.255.224

ip address inside 192.168.97.91 255.255.255.0

ip address FAILOVER 192.168.87.243 255.255.255.248

ip address DMZ 192.168.87.167 255.255.255.224

ip address intf4 127.0.0.1 255.255.255.255

ip address intf5 127.0.0.1 255.255.255.255

failover ip address outside 192.168.87.135

failover ip address inside 192.168.97.90

failover ip address FAILOVER 192.168.87.243

failover ip address DMZ 192.168.87.167

failover ip address intf4 0.0.0.0

failover ip address intf5 0.0.0.0

If the 1st pix goes down, and the second pix take the copntrol, what

kind of ip address the clients see?

The failover ip address, or the real ip address?

My clients should point to 192.168.97.90 or 91 as a gateway?

Many Thanks.

a.manosca · ‎03-12-2003

The transition from Active to Standby is transparent to users especially if you're using Stateful failover.

The clients should still see the same IP address (gateway).

below are some of the important configurations:

failover lan unit primary

failover lan interface intf3

failover lan enable

failover

Did you follow correctly the steps from the documentation?

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_62/config/failover.htm

HTH.

giuliano · ‎03-12-2003

Ok, then my clients should see the original pix ip address, not the failover ip ..

Failover ip aro only used to setup comunication with the 2nd pix that act as

a standby

Is this correct?

Yes, i follow exaclty the instruction on the manual pages.

Can i use my inside interface for FAILOVER LAN INTERFACE or i must

setup another interface?

Thanks.

a.manosca · ‎03-12-2003

Cabling two PIX Firewall units together for failover requires a high-speed serial cable when

using cable-based failover, or a dedicated Ethernet connection to a dedicated switch (or VLAN)

when using LAN-based failover. If you are using Stateful Failover, a separate dedicated

connection is required when running cable-based failover and is recommended when running

LAN-based failover. The minimum connection speed for a Stateful Failover link is 100 Mbps full-duplex.

The paragraph above was taken from the link that I have posted.

If this is the first time you're configuring failover, I would suggest reviewing the

failover docs first so that you can take some important notes about its operation.

Because I believe that if you know how it works, troubleshooting should be easy.

But please posts any questions you still have in mind. Surely, the experts out there

will provide short and accurate answers.