06-27-2003 05:57 PM - edited 02-20-2020 10:49 PM
PIX 535, OS 6.3.1
Following a failover we are observing that some of the interfaces on the primary and secondary PIX are in Normal (Waiting) status. In the log, we see that those interfaces are continuously undergoing the testing process.
I know the interface will go into "testing" mode if it donot receive hellos from the other unit within a specified time. The interface status will be "waiting" if the interface receives one hello and is waiting for the second hello.
However what concerns me is that the interfaces are continuously in testing mode, and showing waiting status. Any ideas what could be the problem? Is there some network connectivity issues preventing the hellos from reaching the other units, or has the PIX interface gone bad.
Thanks for any help!!
pixfirewall# sh fail
Failover On
Cable status: Normal
Reconnect timeout 0:00:00
Poll frequency 15 seconds
This host: Secondary - Active
Active time: 563565 (sec)
Interface outside (x.x.x.x): Normal
Interface inside (x.x.x.x): Normal
Interface State (x.x.x.x): Normal (Waiting)
Interface XO (x.x.x.x): Normal (Waiting)
Interface DMZ_Web (x.x.x.x): Normal (Waiting)
Interface VPN (x.x.x.x): Normal
Other host: Primary - Standby
Active time: 14400 (sec)
Interface outside (x.x.x.x): Normal
Interface inside (x.x.x.x): Normal
Interface State (0.0.0.0): Normal (Waiting)
Interface XO (0.0.0.0): Normal (Waiting)
Interface DMZ_Web (x.x.x.x): Normal (Waiting)
Interface VPN (x.x.x.x): Normal
2003-06-26 07:12:58 Kernel.Alert 192.168.31.3 Jun 26 2003 07:12:58: %PIX-1-104004: (Primary) Switching to OK.
2003-06-26 07:12:58 Kernel.Alert 192.168.31.3 Jun 26 2003 07:12:58: %PIX-1-105003: (Primary) Monitoring on interface 5 waiting
2003-06-26 07:12:58 Kernel.Alert 192.168.31.3 Jun 26 2003 07:12:58: %PIX-1-105003: (Primary) Monitoring on interface 1 waiting
2003-06-26 07:12:58 Kernel.Alert 192.168.31.3 Jun 26 2003 07:12:58: %PIX-1-105003: (Primary) Monitoring on interface 0 waiting
2003-06-26 07:12:59 Kernel.Alert 192.168.31.2 Jun 26 2003 07:12:59: %PIX-1-105008: (Secondary) Testing Interface 4
2003-06-26 07:13:03 Kernel.Alert 192.168.31.2 Jun 26 2003 07:13:03: %PIX-1-105009: (Secondary) Testing on interface 4 Passed
2003-06-26 07:13:13 Kernel.Alert 192.168.31.3 Jun 26 2003 07:13:13: %PIX-1-104004: (Primary) Switching to OK.
2003-06-26 07:13:13 Kernel.Alert 192.168.31.3 Jun 26 2003 07:13:13: %PIX-1-104004: (Primary) Switching to OK.
2003-06-26 07:13:18 Kernel.Alert 192.168.31.2 Jun 26 2003 07:13:18: %PIX-1-105008: (Secondary) Testing Interface 4
2003-06-26 07:13:20 Kernel.Alert 192.168.31.2 Jun 26 2003 07:13:20: %PIX-1-105009: (Secondary) Testing on interface 4 Passed
2003-06-26 07:13:28 Kernel.Alert 192.168.31.3 Jun 26 2003 07:13:28: %PIX-1-105004: (Primary) Monitoring on interface 5 normal
2003-06-26 07:13:28 Kernel.Alert 192.168.31.3 Jun 26 2003 07:13:28: %PIX-1-105004: (Primary) Monitoring on interface 1 normal
2003-06-26 07:13:28 Kernel.Alert 192.168.31.3 Jun 26 2003 07:13:28: %PIX-1-105004: (Primary) Monitoring on interface 0 normal
2003-06-26 07:13:35 Kernel.Alert 192.168.31.2 Jun 26 2003 07:13:35: %PIX-1-105008: (Secondary) Testing Interface 4
2003-06-26 07:13:39 Kernel.Alert 192.168.31.2 Jun 26 2003 07:13:39: %PIX-1-105009: (Secondary) Testing on interface 4 Passed
06-30-2003 07:47 PM
Started to post a question, then found that you beat me to it. Only difference is that on my 535's it is only the ouside and stateful interfaces. Also I am running 6.22. I have changed cables and ports on the switch. Anyone have any ideas as to the cause?
Thanks,
Scott
07-01-2003 04:56 AM
Scott,
Let me know if you find a cause or solution to this issue.
Thanks,
Partha
07-03-2003 09:14 AM
Are these interfaces in auto-negotiation mode or static to 100full or 100half?
Are the standy/failover IP-addresses set correctly?
Please show the interface and failover config.
07-03-2003 10:50 AM
The interfaces on PIX and also the switch ports are hardcoded to 100full.
Below is the failover config. Thanks!!
ip address outside 67.107.232.222 255.255.255.0
ip address inside 192.168.50.2 255.255.255.0
ip address State 215.43.48.34 255.255.255.224
no ip address XO
ip address DMZ_Web 192.168.13.10 255.255.255.0
ip address VPN 192.168.79.223 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 67.107.232.223
failover ip address inside 192.168.50.3
failover ip address State 215.43.48.35
no failover ip address XO
failover ip address DMZ_Web 192.168.13.11
failover ip address VPN 192.168.79.224
ip address outside 67.107.232.222 255.255.255.0
ip address inside 192.168.50.2 255.255.255.0
ip address State 215.43.48.34 255.255.255.224
no ip address XO
ip address DMZ_Web 192.168.13.10 255.255.255.0
ip address VPN 192.168.79.223 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 67.107.232.223
failover ip address inside 192.168.50.3
failover ip address State 215.43.48.35
no failover ip address XO
failover ip address DMZ_Web 192.168.13.11
failover ip address VPN 192.168.79.224
07-09-2003 08:14 AM
Same for my setup. Both Catalyst and Pix 535 are hard coded.
08-12-2003 08:59 PM
In my scenerio, the customer had the cables connected to wrong switch ports. Corrected that and its been fine now.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide