Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1058
Views
0
Helpful
2
Replies

PIX Failover problem

skombathula
Level 1
Level 1

‎06-06-2002 06:58 AM - edited ‎02-20-2020 10:05 PM

Hi,

We have a PIX 515 pair and I configured PIX failover using the failover serial cable, and here is the status when I run the command SH FAILOVER on the Primary

Cable status: Normal

Reconnect timeout 0:00:00

Poll frequency 15 seconds

failover replication http

This host: Primary - Active

Active time: 70320 (sec)

Interface intf2 (192.168.176.250): Normal

Interface intf3 (10.0.0.1): Link Down (Waiting)

Interface outside (192.10.10.1): Normal

Interface inside (192.10.20.1): Normal

Other host: Secondary - Standby

Active time: 0 (sec)

Interface intf2 (192.168.176.251): Normal

Interface intf3 (10.0.0.2): Link Down (Waiting)

Interface outside (192.10.10.2): Normal (Waiting)

Interface inside (192.10.20.2): Normal

Stateful Failover Logical Update Statistics

Link : Unconfigured.

I have 3 questions regarding the PIX Failover

1) We were using interface 3 (intf3) temporarily and we later unplugged the cable. There is no cable connected to Interface 3 (intf3) on the primary PIX or to the standby PIX. It shows interface gb-ethernet0 "intf3" is up, line protocol is down, which is obvious

My question would be, if I shutdown Interface 3 (intf3) on the primary PIX, Will the Interface on the Standby would also be shutdown or should I manually console to standby and shutdown the corresponding interface. I am not sure of how to shutdown the interface on both the PIX’s without any problems.

2) Interface outside (192.10.10.2) on the Standby shows that monitoring is not yet started (waiting). When I check the logs on the standby PIX, I see the following error. I am not sure if I am missing something here.

Jun 6 09:16:14 192.10.20.2 %PIX-2-106016: Deny IP spoof from (192.10.10.1) to 192.10.10.2 on interface outside

Jun 6 09:16:29 192.10.20.2 %PIX-2-106016: Deny IP spoof from (192.10.10.1) to 192.10.10.2 on interface outside

Jun 6 09:16:44 192.10.20.2 %PIX-2-106016: Deny IP spoof from (192.10.10.1) to 192.10.10.2 on interface outside

3) If I want to configure Stateful Failover instead of just the failover using the interface 3 (intf3), what is the best of doing it

0 Helpful
2 Replies 2

mike-greene
Level 4
Level 4

‎06-06-2002 09:17 AM

Hi, to answer your first question, you should shutdown the interface on the primary PIX, issue a "write mem" or "write standby" command and the interface will shutdown on the standby unit. Question 2, are you using a hub or a switch for the outside interfaces? If your using a switch, make sure spanning tree is disabled. Can you ping 192.10.10.2 from the primary PIX? Question 3, your going to need to add an additional Ethernet interface on the primary and standby units. You then cross connect the interfaces and use the "failover link" command to specify the interface used for stateful failover.

Hope this helps.....

0 Helpful

skombathula
Level 1
Level 1

‎06-06-2002 11:12 AM

I cannot ping on the external interface of the stanby ie 192.10.10.2 but able to do so on the internal interfaces. If the problem is with the spanning tree on the switch how are internal interfaces able to talk. Any help in this regard is greatly appreciated

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card