06-06-2007 06:43 AM - edited 03-11-2019 03:25 AM
Hi.
My customer has 2 PIX 515e boxes. He has not configured any failover ip addresses. In the output of show failover, all the interfaces are in waiting state. BUT the failover is still working. It is weird because the configuration does not have any failvoer ip's configured.
Failover On
Cable status: Normal
Reconnect timeout 0:00:00
Poll frequency 15 seconds
Last Failover at: 23:15:21 IST Sat Jun 2 2007
This host: Primary - Active
Active time: 145650 (sec)
Interface outside (x.x.x.x): Normal (Waiting)
Interface inside (x.x.x.x)(Waiting)
Interface intf2 (x.x.x.x) Link Down (Shutdown)
Interface intf3 (x.x.x.x): Normal (Waiting)
Interface intf4 (127.0.0.1): Link Down (Shutdown)
Interface intf5 (127.0.0.1): Link Down (Shutdown)
Other host: Secondary - Standby
Active time: 0 (sec)
Interface outside (0.0.0.0): Normal (Waiting)
Interface inside (0.0.0.0): Normal (Waiting)
Interface intf2 (0.0.0.0): Link Down (Shutdown)
Interface intf3 (0.0.0.0): Normal (Waiting)
Interface intf4 (0.0.0.0): Link Down (Shutdown)
Interface intf5 (0.0.0.0): Link Down (Shutdown)
the configuration is:
failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
we tested by switching off the primary pix and to my surprise the standby pix took the IP addresses of the primary and traffic was flowing normally. Please let me know if this is normal.
06-08-2007 10:10 AM
I will have to preface this with saying "I believe", as I am not 100% on my answer:
Then, "it depends".
If you have the Serial Failover cable attached, then even without a Failover IP address configured, the two PIX boxes will "know" each other, and keep their configurations syncronized. If you shut down the primary pix, the failover box will see the loss, and take over as the primary. They will NOT have any State or Session activity, so current connections will drop, and need to be re-established. Adding the failover interface and cables will allow State infomation to be maintained, so connections will not drop. (Important for Citrix or Mainframe connectivity)
If there is no Failover cable attached, then this would not be normal.
HTH.
Russ
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide