Solved: Re: Pix Firewall 515e

miguel · ‎09-07-2010

Hello,

I have a client with PIX 515e that is licensed as Failover Only Active/Standby. The main firewall is completely dead. I can get things up and running again by failover active command but after a reboot or after a period of time it goes back to standby. Can this unit remain the main active unit?

Cheers and thanks.

Miguel

bknoblau · ‎09-07-2010

Miguel,

As per cisco documentation:

1.) The PIX Firewall failover-only unit is intended to be used solely for failover and not in standalone mode. If a failover unit is used in standalone mode, the unit will reboot at least once every 24 hours until the unit is returned to failover duty. When the unit reboots, the following message displays at the console.

=========================NOTICE ==========================

       This machine is running in secondary mode without

       a connection to an active primary PIX. Please

        check your connection to the primary system.

               REBOOTING....

==========================================================

2.) If a failover-only PIX Firewall is not attached to a failover connection or is attached to the primary end of a Failover cable, then it will hang at boot time. It should be a secondary unit.

Hope this helps,

BK

View solution in original post

miguel · ‎09-07-2010

p.s. let me clarify, what I mean by a period of time is not correct. So long as power as power and ethernet activity is good the unit remains active. We have bad storms here for the last few days and when the power goes out and UPS drains, the unit power down. The next AM, I have to set up the unit active again. Will this behavior continue until we replace the primary unit or can this unit be permanently set up as the active unit in a single unit environment?

bknoblau · ‎09-07-2010

Miguel,

As per cisco documentation:

1.) The PIX Firewall failover-only unit is intended to be used solely for failover and not in standalone mode. If a failover unit is used in standalone mode, the unit will reboot at least once every 24 hours until the unit is returned to failover duty. When the unit reboots, the following message displays at the console.

=========================NOTICE ==========================

       This machine is running in secondary mode without

       a connection to an active primary PIX. Please

        check your connection to the primary system.

               REBOOTING....

==========================================================

2.) If a failover-only PIX Firewall is not attached to a failover connection or is attached to the primary end of a Failover cable, then it will hang at boot time. It should be a secondary unit.

Hope this helps,

BK

miguel · ‎09-07-2010

Thank you for your answer.

One last one: Why would it go into standby mode after the reboot or after power out? I don't mind it rebooting every 24 hours but it comes back in standby mode and thus all in/out traffic does not work. Is this expected behavior or am I doing something wrong?

Miguel

golly_wog · ‎09-07-2010

enter the failover command and then save the config.

I did all my CCSP studies on one of these and it never went into standby.

miguel · ‎09-07-2010

Hello Golly,

I did the failover active command to get it back out of standby and then I did a write command to save the config but it comes back into stanby after a restart. I have done this several times but no joy.

Tks

golly_wog · ‎09-07-2010

Mate

Sorry to be a pain, but I am sure that this is possible - I had this running, that protected a wesite i did for my mate, I had it rebooting at midnight and would come back up cleanly.

Is there any chance you can post your config please - specifically the failover part. I'm wondering if you have it set as standby, whereas from memory I did a "clear config all", then just ran "failover" and volia!

I've flogged the unit on ebay, so can't check. Sorry

Nagaraja Thanthry · ‎09-07-2010

Hello Golly,

What you said is correct as long as the secondary device took over the

active role when the primary device (with UR license) was connected and it

went down. If you are trying to configure the FO device by itself, then it

will not work.

Regards,

NT

golly_wog · ‎09-08-2010

Hi NT

I'm positive that it did mate - it would reboot every 24 hours though.

From memory I was running 7.2.

It was a 515, not 515E, but I guess that is incedental...?

From memory I need to get this to failover, that is why I said it needed it, basically unless this is activated no config would take effect.

From memory when it booted it would then detect no mate and switch to active.

My brain is getting old, but some stuff I can just about recall :-)

cheers

miguel · ‎09-07-2010

Hello All,

I'm not sure how the standby unit switched over (gracefully or abruptly) or where the original active unit is. This is a new client that called out of the blue and I guess I will find out more tomorrow.

Thanks again for the courtesy and professionalism. Great forum!

Nagaraja Thanthry · ‎09-07-2010

Hello Miguel,

Also, if it is viable, you can just install a new license to convert the

existing firewall to standalone mode. If it is working as standalone, even

Restricted license could work.

Regards,

NT

miguel · ‎09-07-2010

p.s. thank you all for your answers and support. This is a very nice and professional group. Great forum Cisco.