Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
618
Views
0
Helpful
2
Replies

PIX failover

vinoth.kumar
Level 1
Level 1

‎02-23-2009 03:55 PM - edited ‎03-11-2019 07:55 AM

we are using pix 5151e 7.2 (3) version and we configured the statefull failover between two pIX 515E

and its working fine but my query is when i give command sh failover it showing only the primary unit IP all interface but not the secondary unit

please refer the below sh command for ur refernce

Failover On

Cable status: Normal

Failover unit Primary

Failover LAN Interface: N/A - Serial-based failover enabled

Unit Poll frequency 3 seconds, holdtime 9 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 3 of 250 maximum

Version: Ours 7.2(3), Mate 7.2(3)

Last Failover at: 23:34:03 UTC Feb 23 2009

This host: Primary - Active

Active time: 1371 (sec)

Interface outside (x.x.119.179): Normal (Waiting)

Interface inside (x.195.21.2): Normal (Waiting)

Interface inside2 (10.195.1.254): Normal (Waiting)

Other host: Secondary - Standby Ready

Active time: 0 (sec)

Interface outside (0.0.0.0): Normal (Waiting)

Interface inside (0.0.0.0): Normal (Waiting)

Interface inside2 (0.0.0.0): Normal (Waiting)

Stateful Failover Logical Update Statistics

Link : STATE Ethernet3 (up)

Stateful Obj xmit xerr rcv rerr

General 4100 0 168 0

sys cmd 168 0 168 0

up time 0 0 0 0

RPC services 0 0 0 0

TCP conn 615 0 0 0

UDP conn 67 0 0 0

ARP tbl 3246 0 0 0

Xlate_Timeout 0 0 0 0

VPN IKE upd 3 0 0 0

VPN IPSEC upd 3 0 0 0

VPN CTCP upd 0 0 0 0

VPN SDI upd 0 0 0 0

VPN DHCP upd 0 0 0 0

Logical Update Queue Information

Cur Max Total

Recv Q: 0 4 588

Xmit Q: 0 8 9774

Labels:
0 Helpful
2 Replies 2

stanleyb
Level 1
Level 1

‎02-23-2009 08:05 PM

(Waiting) suggest hello not received so Failover Monitoring Has Not Begun.

This happens when failover has not started to monitor the network interfaces. Failover does not start to monitor the network interfaces until it has heard the second "hello" packet from the other unit on that interface. This takes about 30 seconds. If the unit is attached to a network switch that runs Spanning Tree Protocol (STP), this takes twice the "forward delay" time configured in the switch (typically configured as 15 seconds), plus this 30 second delay. This is because at PIX bootup and immediately following a failover event, the network switch detects a temporary bridge loop. Upon detection of this loop, it stops forwarding packets on these interfaces for the "forward delay" time. It then enters the "listen" mode for an additional "forward delay" time, during which time the switch listens for bridge loops but not forwarding traffic (and thus not forwarding failover "hello" packets). After twice the forward delay time (30 seconds), traffic resumes flowing. Each PIX remains in "waiting" mode until it hears 30 seconds worth of "hello" packets from the other unit. During the time the PIX is passing traffic, it does not fail the other unit based on not hearing the "hello" packets. All other failover monitoring still occurs (that is, Power, Interface Loss of Link, and Failover Cable "hello").

Cisco strongly recommends that customers enable portfast on all switch ports that connect to PIX interfaces. In addition, channeling and trunking need to be disabled on these ports. Thus, if the interface of the PIX goes down during failover, the switch does not have to wait 30 seconds while the port transitions from a listening to learning to forwarding state.

Try and apply your commands again:

On the primary PIX, configure these commands:

ip address stateful-fo x.x.x.1 255.255.255.0

interface ethernetX 100full

failover ip address stateful-fo x.x.x.2

failover link stateful-fo

On the secondary PIX, configure this:

ip address stateful-fo x.x.x.2 255.255.255.0

nameif ethernetX stateful-fo security30

interface ethernetX 100full

check the switch/cables in between.

reload.. ;-)

hope that helped.

0 Helpful

vinoth.kumar
Level 1
Level 1
In response to stanleyb

‎02-24-2009 05:14 AM

thanks for your reply

but the failover is working fine when i switch off the primary unit but in our existing network we setup the failover with version 6.3 i have given the command # failover ip outside xxxx xxxx and also when i give #show failover it shows all primary interface IP and all secondary interface ip

PIX Version 7.2(3)

!

interface Ethernet0

nameif outside

security-level 0

ip address x.x.x19.179 255.255.255.248

!

interface Ethernet1

nameif inside

security-level 100

ip address 10.x.21.2 255.255.255.0

!

interface Ethernet2

nameif inside2

security-level 80

ip address 10.x.1.254 255.255.255.0

!

interface Ethernet3

description STATE Failover Interface

speed 100

duplex full

!

interface Ethernet4

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet5

shutdown

no nameif

no security-level

no ip address

failover

failover polltime unit 3 holdtime 9

failover link STATE Ethernet3

failover interface ip STATE 172.16.35.1 255.255.255.0 standby 172.16.35.2

in 7.2 it shows only primary unit ip and statefull interface ip

i dont know its normal or i need to do some other config

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card