Re: PIX Failover - Page 2

gavin.mckee · ‎08-18-2006

can anyone offer a suggestion to this problem. The secondary device is showing failed. I assume that this is because the hello packets are not being recieved on the failover interface. I think it may be a static(inside,outside) command. Is there anyway of debug this to find out whats stopping the hello command.

dub1# sh failover

Failover On

Cable status: Normal

Reconnect timeout 0:00:00

Poll frequency 15 seconds

This host: Primary - Active

Active time: 22538970 (sec)

Interface dmz (192.168.67.1): Normal (Waiting)

Interface outside (217.173.100.33): Normal (Waiting)

Interface inside (172.22.66.140): Normal (Waiting)

Other host: Secondary - Standby (Failed)

Active time: 497700 (sec)

Interface dmz (192.168.67.2): Normal

Interface outside (217.x.100.x): Normal

Interface inside (172.22.66.141): Normal

Stateful Failover Logical Update Statistics

Link : Unconfigured.

gavin.mckee · ‎08-18-2006

yeah 3 interfaces, I don't think there is any point in spending money on adding a new interface. we are going to move the server farms here to a data center so the plan will be to use new firewalls... i.e. go with a self defending network!

Gavin

andrew.burns · ‎08-18-2006

Hi Gavin,

congrats on the ccna - the first step on a long road!

regarding how failover works, the absolute best guide is the cisco configuration guide for the version of software that you're running, a search of CCO should turn this up quickly - there's a whole chapter on configuring failover. If you read that in conjuction with the pix failover document (link above) then you should have a pretty good idea of how it all works, how to configure it, and what to do if something goes wrong.

In a nutshell, because the pixes share a config you need a method of giving the standby box a different ip - that method is the "failover ip" command. The standby box knows it's the standby because it has a cable end marked "standby" plugged into it (that's really how it works - the serial cable defines which box is the primary and which is the secondary). The active pix always has the interface defined ip and the standby pix always has the failover ip - they swap ip's in a failover situation.

Your original posting of the show failover command showed that all the pix hardware looked ok - all the interfaces on both pixes are up (and the IP's all look fine!) hence the suggestion to try "failover reset". If the lan interfaces can't send/receive hellos then the standby will just fail again - in that case you need to investigate the connectivity between the lan interfaces on the boxes.

I notice that you're running 6.1 - that's a real old version, so I'd think about upgrading if at all possible. (although you might need more ram/flash/etc) - and for the final point about whether you need an extra interface then the answer is a qualified yes. (you can actually configure failover on a data interface, but it's really not recommended and as of pix 7.0 the ability to do this is removed.)

off home now..

HTH - please rate posts if useful!

Andrew.

gavin.mckee · ‎08-18-2006

Thansk again Andrew, I'll take your advice and look forward to upgrading. I purchased the Cisco ASA and PIX firewall handbook which covers 7.0 so I may start migrating the config file peice by peice.

Thanks again for all of your help.

Have a great weekend.

Gav

starlingsolon · ‎08-18-2006

can you ping Interface inside 172.22.66.141