Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

can't ping from inside to PIX - failover only

Status
Not open for further replies.
kinkytrey

kinkytrey

Programmer
Jun 2, 2006
7
US
Our network has had a single PIX 520 on it for years. Convinced management we should set up a failover pair. Bought a pair of matched 520's that I had configured at my last job and they had run flawlessly for years there.

Reconfigured the new pair with the config from single PIX. Configured a switch into 4 VLAN's (outside,inside,dmz1,failover) and hooked up the failover PIXen.

From the PIX I CAN ping the outside router and beyond and I can ping into the inside network.

I CANNOT ping from the inside to the PIX consistently. In fact it seems like right after a reload the PIX I can ping the inside interface from the inside a few times but it stops quickly.

We've tried 2 different 'failover' switches - same prob. The main network switch is a stacked pair of Dell PowerConnect 3348's all ports set to 100auto. The failover switch is a BayStack 350 24-T.

If I turn off failover (and connect directly to Priamry PIX) all is well. It's only when we out the failover switch inline and enable failover does this problem occur.

We suspect it's an issue with matching the hardware speeds of the PIX inside interface/failover switch/LAN switch but want to know if someone can see something in our config that might be the culprit. We can't test interfaces again until tomorrow.

(The 100baset hw speeds you see on ethernet0 and ethernet1 work also as well as 100full)

TIA

Code: 
PIX Version 6.3(3)
interface ethernet0 100basetx
interface ethernet1 100basetx
interface ethernet2 100full
interface ethernet3 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz1 security40
nameif ethernet3 failover security10
enable password blah encrypted
passwd blah encrypted
hostname host
domain-name ourdomain.com
fixup protocol dns
fixup protocol ftp 21
no fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list compiled
access-list acl_out permit icmp any any
access-list acl_out permit tcp any host my.public.net.252 eq pcanywhere-data
access-list acl_out permit udp any host my.public.net.252 eq pcanywhere-status
access-list acl_out permit tcp any host my.public.net.252 eq www
access-list acl_out permit udp any host my.public.net.252 eq www
access-list acl_out permit tcp any host my.public.net.252 eq lotusnotes
access-list acl_out permit udp any host my.public.net.252 eq 1352
access-list acl_out permit tcp any host my.public.net.252 eq smtp
access-list acl_out permit tcp any host my.public.net.253 eq pcanywhere-data
access-list acl_out permit udp any host my.public.net.253 eq pcanywhere-status
access-list acl_out permit tcp any host my.public.net.253 eq www
access-list acl_out permit udp any host my.public.net.253 eq www
access-list acl_out permit tcp any host my.public.net.253 eq lotusnotes
access-list acl_out permit udp any host my.public.net.253 eq 1352
access-list acl_out permit tcp any host my.public.net.253 eq smtp
access-list acl_out permit tcp any host my.public.net.251 eq www
access-list acl_out permit udp any host my.public.net.251 eq www
access-list acl_out permit tcp any host my.public.net.251 eq pcanywhere-data
access-list acl_out permit udp any host my.public.net.251 eq pcanywhere-status
access-list acl_out permit tcp any host my.public.net.251 eq ftp
access-list acl_out permit tcp any host my.public.net.251 eq ftp-data
access-list acl_out permit udp any host my.public.net.251 eq 20
access-list acl_out permit udp any host my.public.net.251 eq 21
access-list acl_out permit tcp any host my.public.net.107 eq h323
access-list acl_out permit tcp any host my.public.net.107 eq 3230
access-list acl_out permit tcp any host my.public.net.107 eq 3231
access-list acl_out permit tcp any host my.public.net.107 eq 3232
access-list acl_out permit tcp any host my.public.net.107 eq 3233
access-list acl_out permit tcp any host my.public.net.107 eq 3234
access-list acl_out permit tcp any host my.public.net.107 eq 3235
access-list acl_out permit udp any host my.public.net.107 eq 3230
access-list acl_out permit udp any host my.public.net.107 eq 3231
access-list acl_out permit udp any host my.public.net.107 eq 3232
access-list acl_out permit udp any host my.public.net.107 eq 3233
access-list acl_out permit udp any host my.public.net.107 eq 3234
access-list acl_out permit udp any host my.public.net.107 eq 3235
access-list acl_out permit tcp any host my.public.net.107 eq 1503
access-list acl_out permit tcp any host my.public.net.108 eq pcanywhere-data
access-list acl_out permit udp any host my.public.net.108 eq pcanywhere-status
access-list acl_out permit tcp any host my.public.net.109 eq pcanywhere-data
access-list acl_out permit udp any host my.public.net.109 eq pcanywhere-status
access-list acl_out permit tcp any host my.public.net.253 eq 2080
access-list acl_out permit udp any host my.public.net.253 eq 2080
access-list acl_out permit tcp any host my.public.net.253 eq 27000
access-list acl_out permit tcp any host my.public.net.253 eq 27001
access-list acl_out permit tcp any host my.public.net.253 eq 27002
access-list acl_out permit tcp any host my.public.net.253 eq 27003
access-list acl_out permit tcp any host my.public.net.253 eq 27004
access-list acl_out permit tcp any host my.public.net.253 eq 27005
access-list acl_out permit tcp any host my.public.net.253 eq 27006
access-list acl_out permit tcp any host my.public.net.253 eq 27007
access-list acl_out permit tcp any host my.public.net.253 eq 27008
access-list acl_out permit tcp any host my.public.net.253 eq 27009
access-list acl_out permit udp any host my.public.net.253 eq 27000
access-list acl_out permit udp any host my.public.net.253 eq 27001
access-list acl_out permit udp any host my.public.net.253 eq 27002
access-list acl_out permit udp any host my.public.net.253 eq 27003
access-list acl_out permit udp any host my.public.net.253 eq 27004
access-list acl_out permit udp any host my.public.net.253 eq 27005
access-list acl_out permit udp any host my.public.net.253 eq 27006
access-list acl_out permit udp any host my.public.net.253 eq 27007
access-list acl_out permit udp any host my.public.net.253 eq 27008
access-list acl_out permit udp any host my.public.net.253 eq 27009
access-list acl_out permit tcp any host my.public.net.252 eq pop3
access-list acl_out permit udp any host my.public.net.252 eq 110
access-list acl_out permit tcp any host my.public.net.253 eq ftp
access-list acl_out permit tcp any host my.public.net.253 eq ftp-data
access-list acl_out permit tcp any host my.public.net.106 eq citrix-ica
access-list acl_out permit udp any host my.public.net.106 eq 1494
access-list acl_out permit tcp any host my.public.net.106 eq 137
access-list acl_out permit udp any host my.public.net.106 eq netbios-ns
access-list acl_out permit tcp any host my.public.net.106 eq 138
access-list acl_out permit udp any host my.public.net.106 eq netbios-dgm
access-list acl_out permit tcp any host my.public.net.106 eq netbios-ssn
access-list acl_out permit udp any host my.public.net.106 eq 139
access-list acl_out permit udp any host my.public.net.106 eq www
access-list acl_out permit tcp any host my.public.net.106 eq www
access-list acl_out permit tcp any host my.public.net.105 eq www
access-list acl_out permit udp any host my.public.net.105 eq www
access-list acl_out permit tcp any host my.public.net.105 eq lotusnotes
access-list acl_out permit udp any host my.public.net.105 eq 1352
access-list acl_out permit tcp any host my.public.net.105 eq smtp
access-list acl_out permit tcp any host my.public.net.105 eq 3389
access-list acl_out permit tcp any host my.public.net.105 eq pop3
access-list acl_out permit udp any host my.public.net.105 eq 110
access-list acl_out permit tcp any host my.public.net.108 eq www
access-list acl_out permit udp any host my.public.net.108 eq www
access-list acl_out permit tcp any host my.public.net.108 eq 1533
access-list acl_out permit udp any host my.public.net.108 eq 1533
access-list acl_out permit tcp any host my.public.net.108 eq lotusnotes
access-list acl_out permit udp any host my.public.net.108 eq 1352
access-list acl_dmz1 permit tcp any any
access-list acl_dmz1 permit udp any any
access-list acl_dmz1 permit icmp any any
access-list acl_inside permit tcp any any
access-list acl_inside permit udp any any
access-list acl_inside permit icmp any any
pager lines 24
logging facility 6
logging device-id hostname
logging host inside 192.168.1.5
no logging message 106011
mtu outside 1500
mtu inside 1500
mtu dmz1 1500
mtu failover 1500
ip address outside my.public.net.250 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip address dmz1 192.168.2.4 255.255.255.0
ip address failover 192.168.3.4 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
failover
failover timeout 0:00:00
failover poll 15
failover ip address outside my.public.net.252
failover ip address inside 192.168.1.8
failover ip address dmz1 192.168.2.8
failover ip address failover 192.168.3.8
failover link failover
pdm history enable
arp timeout 14400
global (outside) 2 my.public.net.110 netmask 255.255.255.248
global (outside) 1 my.public.net.254 netmask 255.255.255.248
global (dmz1) 1 192.168.2.94 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz1) 1 0.0.0.0 0.0.0.0 0 0
static (dmz1,outside) my.public.net.251 192.168.2.10 netmask 255.255.255.255 0 0
static (inside,dmz1) 192.168.2.15 192.168.1.2 netmask 255.255.255.255 0 0
static (inside,outside) my.public.net.107 192.168.1.14 netmask 255.255.255.255 0 0
static (inside,outside) my.public.net.109 192.168.1.6 netmask 255.255.255.255 0 0
static (inside,outside) my.public.net.106 192.168.1.10 netmask 255.255.255.255 0 0
static (inside,outside) my.public.net.105 192.168.1.12 netmask 255.255.255.255 0 0
static (inside,outside) my.public.net.253 192.168.1.5 netmask 255.255.255.255 0 0
static (inside,outside) my.public.net.108 192.168.1.11 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group acl_inside in interface inside
access-group acl_dmz1 in interface dmz1
route outside 0.0.0.0 0.0.0.0 my.public.net.249 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.5 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server outside 66.162.209.77 ldh
floodguard enable
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.60-192.168.1.125 inside
dhcpd dns 192.168.1.5
dhcpd lease 82800
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
 
Sort by date Sort by votes
I have a number of comments that may help.

I see you have used the "failover link failover" command which suggests you want to use the interface called failover for stateful failover. But to use stateful failover you usually specify another interface as failover. i.e. to use stateful failover, you need 2 interfaces between the 2 PIXes.

Your post suggests you only have one interface allocated to failover so you may have to try disabling stateful failover and instead allocate interface e2 to standard failover. Do this as follows:

no failover link failover
failover lan interface failover

Also some of the commands I would normally expect to see for enabling LAN-based failover do seem to be missing, such as:

failover lan unit primary
failover lan enable

and on the secondary unit:

failover lan unit secondary
failover lan enable

Also ensure your switch is configured for portfast on the ports that connect the 2 PIXes and ensure trunking and etherchannelling have been disabled. Ensure also that the switch ports that connect the failover interfaces are set to 100 full as well.
 
Upvote 0 Downvote
It almost sounds like at some point you are getting an incomplete ARP entry after some point.

An output of the MAC Address Table on the switches when you before and after would be helpful and also a "sh failover" before and after. Like KiscoKid said make sure portfast is enabled. Why 100 half on the inside and outside? Just wondering? Always best to hard code if possible.

Free Firewall/Network/Systems Support-
 
Upvote 0 Downvote
Thank you both. Been busy with fightin the ol IRS the last couple of days. Will reply to both of you when I get back to the server room.....
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
334
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
347
Johnkite
Johnkite
Garbear
  • Locked
  • Question
TZ190 VPN Connection works but can't ping some IP's on either side
Replies
0
Views
73
Garbear
Garbear
Russtoleum
  • Locked
  • Question
Windows client can't connect to sonicwall l2tp server
Replies
0
Views
92
Russtoleum
Russtoleum
ciscokid1984
  • Locked
  • Question
Watchguard RDP from external network
Replies
1
Views
172
hairlessupportmonkey
hairlessupportmonkey

Part and Inventory Search

Sponsor

Back
Top