cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
460
Views
0
Helpful
5
Replies

Stateful Failover

t.harness
Level 1
Level 1

I have a set of 520's that I had Stateful Failover running fine on. I upgraded to 6.3 code and moved from conduits to access-list. Now I can't seem to get failover to work properly again. When I bring up the Secondary unit everything checks out fine except the stateful interface stays in (waiting) mode then after the polling period it takes over as active unit. Then they repeat and the Primary takes over after the 30 seconds or whatever it is. I got two new 515's in and I am getting the same thing with these. I have it configured the same way as I did when it was working. Am I missing something new in 6.3? I did it just like it says in the documentation. I'm lost here...HELP

Thanks

Tim

5 Replies 5

ehirsel
Level 6
Level 6

How are your stateful failover links defined and connected? Direct between pixes using cross-over cable or thru a layer 2/3 switch? Also is the pix interface configured for failover a dedicated interface? And how is that interface configured for duplex and speed settings?

Did you notice anything interesting in the logs of the pixes with regards to failover or interface operation?

Thanks for yor quick reply. I have a direct connection between them with a crossover cable. The interface is dedicated, and I have it configured as the failover link stateful (interface name is stateful) I have an ip of 127.0.0.5 for the active, 127.0.0.6 for the failover interface. I used to have it set at auto, but then when I upgraded it I changed it to 100full. I then tried going back to auto, just to see if that was doing it even though I know it is recomendend to be at 100full. Either way it did the same thing. On the new firewalls that I am testing on I am getting a "110001: no route to 127.0.0.6 from 127.0.0.5" error. Which I thought maybe I found it!! But being that the stateful interface is assigned to that network I shouldn't have to put a route statement in, and even when I try to it doesn't show up in the config and it stills gives me the same error. Do you think it might have something to do with that IP? It worked before with that one, but maybe 6.3 is different?

Thanks

Tim

Well I have now changed the IP on the stateful interface to a 172.16 address instead of the 127.0.0.0 address, and it is now working fine. Does anyone know if there is a problem now with using the 127.x.x.x address for the stateful interface?

Tim

The 127.0.0.X network is considered a bogon (bogus outside network) address space. Based on your descriptions, I would guess that we added some changes to later code to prevent the use of 127.0.0.X addresses on interfaces. In general, it is required that you assign routable addresses to each interface on the 2 failover PIX's. Each interface does need to send packets to the like interface on the opposite PIX. Hope this helps.

Scott

Address 127.0.0.x is generally a "loopback" address to my own machine.