Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
460
Views
0
Helpful
5
Replies

Stateful Failover

t.harness
Level 1
Level 1

‎04-16-2004 07:14 AM - edited ‎03-09-2019 07:05 AM

I have a set of 520's that I had Stateful Failover running fine on. I upgraded to 6.3 code and moved from conduits to access-list. Now I can't seem to get failover to work properly again. When I bring up the Secondary unit everything checks out fine except the stateful interface stays in (waiting) mode then after the polling period it takes over as active unit. Then they repeat and the Primary takes over after the 30 seconds or whatever it is. I got two new 515's in and I am getting the same thing with these. I have it configured the same way as I did when it was working. Am I missing something new in 6.3? I did it just like it says in the documentation. I'm lost here...HELP

Thanks

Tim

Labels:
0 Helpful
5 Replies 5

ehirsel
Level 6
Level 6

‎04-16-2004 08:16 AM

How are your stateful failover links defined and connected? Direct between pixes using cross-over cable or thru a layer 2/3 switch? Also is the pix interface configured for failover a dedicated interface? And how is that interface configured for duplex and speed settings?

Did you notice anything interesting in the logs of the pixes with regards to failover or interface operation?

0 Helpful

t.harness
Level 1
Level 1
In response to ehirsel

‎04-16-2004 08:34 AM

Thanks for yor quick reply. I have a direct connection between them with a crossover cable. The interface is dedicated, and I have it configured as the failover link stateful (interface name is stateful) I have an ip of 127.0.0.5 for the active, 127.0.0.6 for the failover interface. I used to have it set at auto, but then when I upgraded it I changed it to 100full. I then tried going back to auto, just to see if that was doing it even though I know it is recomendend to be at 100full. Either way it did the same thing. On the new firewalls that I am testing on I am getting a "110001: no route to 127.0.0.6 from 127.0.0.5" error. Which I thought maybe I found it!! But being that the stateful interface is assigned to that network I shouldn't have to put a route statement in, and even when I try to it doesn't show up in the config and it stills gives me the same error. Do you think it might have something to do with that IP? It worked before with that one, but maybe 6.3 is different?

Thanks

Tim

0 Helpful

t.harness
Level 1
Level 1
In response to t.harness

‎04-19-2004 06:20 AM

Well I have now changed the IP on the stateful interface to a 172.16 address instead of the 127.0.0.0 address, and it is now working fine. Does anyone know if there is a problem now with using the 127.x.x.x address for the stateful interface?

Tim

0 Helpful

scoclayton
Level 7
Level 7
In response to t.harness

‎04-19-2004 05:46 PM

The 127.0.0.X network is considered a bogon (bogus outside network) address space. Based on your descriptions, I would guess that we added some changes to later code to prevent the use of 127.0.0.X addresses on interfaces. In general, it is required that you assign routable addresses to each interface on the 2 failover PIX's. Each interface does need to send packets to the like interface on the opposite PIX. Hope this helps.

Scott

0 Helpful

jerry.marsh
Level 1
Level 1
In response to t.harness

‎04-20-2004 12:49 PM

Address 127.0.0.x is generally a "loopback" address to my own machine.

0 Helpful
Customers Also Viewed These Support Documents