Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
597
Views
0
Helpful
6
Replies

[pix transparent mode failover]

Carlos A. Silva
Level 3
Level 3

‎05-31-2006 04:29 PM - edited ‎02-21-2020 12:56 AM

i'm testing failover with transparent mode and it seems to work fine when the active box goes down.

but i've been wondering if a 'monitor-interface' scenario is supposed to work with transparent mode. i actually tested this and it doesn't.

what i would like to happen is that if i have an active/standby pix scenario in transparent mode; when i disconnect (say) the outside interface, the active pix detects the 'link down'. i was hoping this would cause a failover event from active to standby, but it doesn't.

i'm aware that a monitor-interface scenario is somewhat L3 based, so a pix routed mode comes in handy. but i've been trying to get this to work and the active pix, just won't failover when in transparent mode.

anybody have an answer on this issue?

regards,

c.

0 Helpful
6 Replies 6

dentt
Level 1
Level 1

‎06-01-2006 11:30 AM

Do you have a copy of your config? Failover is possible in transparent mode. I suspect something in your failover config is not setup correctly.

0 Helpful

Carlos A. Silva
Level 3
Level 3
In response to dentt

‎06-01-2006 01:32 PM

my config only has the the basic failover commands and monitor interface commands. please keep in mind that in routed mode, failover works properly. i'm particularly interested in failover caused by an interface going down, instead of the whole active pix.

here's the config, thanks a lot!

firewall transparent

names

!

interface Ethernet0

description out

speed 100

duplex full

nameif outside

security-level 0

!

interface Ethernet1

speed 100

duplex full

nameif inside

security-level 100

!

interface Ethernet2

description LAN/STATE Failover Interface

!

[snip]

hostname PIX

domain-name itesm.mx

boot system flash:/pix702.bin

ftp mode passive

access-list inside extended permit ip any any

access-list outside extended permit ip any any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address 10.0.0.3 255.255.255.0

failover

failover lan unit primary

failover lan interface folink Ethernet2

failover polltime interface 3

failover interface-policy 50%

failover link folink Ethernet2

failover interface ip folink 10.0.1.1 255.255.255.0 standby 10.0.1.2

monitor-interface outside

monitor-interface inside

no asdm history enable

arp timeout 14400

access-group outside in interface outside

access-group inside in interface inside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp

telnet 0.0.0.0 0.0.0.0 outside

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 5

console timeout 0

[snip]

0 Helpful

dentt
Level 1
Level 1
In response to Carlos A. Silva

‎06-02-2006 06:12 AM

You have the line:

failover interface-policy 50%

This means that 50% of the interfaces need to go down to achieve a failover. I think this is your issue. Change this to:

failover interface-policy 1

...or just remove the line since the default is to failover on one interface failure.

Let me know how this works for you. Rate if it works and solves your issue!

0 Helpful

Carlos A. Silva
Level 3
Level 3
In response to dentt

‎06-02-2006 06:31 AM

actually, dennt. this is an old configuration capture (i didn't have one with all the things i've tried).

i have used that command you suggested.

i also tried 'failover interface-policy 1%'.

i might open a case and see what the tac has to say about it.

thanks a lot!

c.

0 Helpful

soc
Level 1
Level 1
In response to Carlos A. Silva

‎09-06-2006 06:50 AM

the proble with thsi config is you are missing the secondary manangement address

the command

ip address 10.0.0.3 255.255.255.0

should be

ip address 10.0.0.3 255.255.255.0 standby 10.0.0.4

the 10.0.0.4 will be the failover ip address from the secondary firewall.

The failover policy command determine when to trigger failover.

Regards

0 Helpful

soc
Level 1
Level 1

‎09-06-2006 06:53 AM

also do not forget to add a default route

route outside 0 0 10.0.0.20 (if thei is you default route)

Note the management ip addresses and the default route must be in the same network .

eg from your config 10.0.0.0 network

Regards

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card