Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
PIX LAN Failover 1
- Thread starter HTY
- Start date
Failover isn't one PIX talking to the other. I assume you mean to connect the two PIXes NICs with a crossover cable. Each NIC requires a path to the outside.
I'm sure that a switch port is much more robust in handling all your network traffic as well. Crucial to have all available LAN bandwidth. Also - if you're using a hub you'll be talking lots of collisions etc.
"If you lived here, you'd be home by now!"
George Carlin
I'm sure that a switch port is much more robust in handling all your network traffic as well. Crucial to have all available LAN bandwidth. Also - if you're using a hub you'll be talking lots of collisions etc.
"If you lived here, you'd be home by now!"
George Carlin
-
1
- #3
- Thread starter
- #4
- Thread starter
- #5
Hi Baddos,
I've done with the configuration of the two pix units, failover is configured on both units (LAN failover is done with a crossover link connecting the two ubits).
When i unplug a cable (inside or outside) standby unit is switching to active and everything seems to be ok, the problem comes when i shut down the active unit, failover isn't switching, and the resul that i have is one standby unit and that's all!!
is it bacause am not using a switch to connect the failover cables from both sides???
thanks
Hicham
I've done with the configuration of the two pix units, failover is configured on both units (LAN failover is done with a crossover link connecting the two ubits).
When i unplug a cable (inside or outside) standby unit is switching to active and everything seems to be ok, the problem comes when i shut down the active unit, failover isn't switching, and the resul that i have is one standby unit and that's all!!
is it bacause am not using a switch to connect the failover cables from both sides???
thanks
Hicham
- Thread starter
- #7
I will post my failover configuration tomorrow as soons as i'll be at work 
but to tell you, it's a basic lan failover configuration the only parameter i changed is the failover poll interval i put it to the minimum (3 seconds).
but here is a little description of my architecture:
outside
Switch ------------------------Switch
| 2 Crossover cables LAN + Stateful FO
PIX ------------------------ PIX
| (
Switch------------------------Switch
Inside
Unplugging the inside or the outside cable on the primary/active causes failover. OK
Reloading the primary/active unit causes faiover to the standby: OK
Powering down the Primary/active unit make nothing!!!
When i type a show failover on the standby unit in this case, the result is that the status of all the interfaces is Normal!!! although i can't ping any of the interfaces!!
I'm wondering if i'm having this result because i'm not using a dedicated switch to connect the 2 units...
Thanks for your help..
HTY
but to tell you, it's a basic lan failover configuration the only parameter i changed is the failover poll interval i put it to the minimum (3 seconds).but here is a little description of my architecture:
outside
Switch ------------------------Switch
| 2 Crossover cables LAN + Stateful FO
PIX ------------------------ PIX
| (
Switch------------------------Switch
Inside
Unplugging the inside or the outside cable on the primary/active causes failover. OK
Reloading the primary/active unit causes faiover to the standby: OK
Powering down the Primary/active unit make nothing!!!
When i type a show failover on the standby unit in this case, the result is that the status of all the interfaces is Normal!!! although i can't ping any of the interfaces!!
I'm wondering if i'm having this result because i'm not using a dedicated switch to connect the 2 units...
Thanks for your help..
HTY
You don't need a switch to do this. You can through a cheap hub or switch in there temporarily to double check though.
There must be something funky in your configuration. Unplugging the cables causes the FO, but powering off doesn't (which doesn't make sense, because both cause link failures).
Are you using the serial FO cable as well as the LAN?
-Bad Dos
There must be something funky in your configuration. Unplugging the cables causes the FO, but powering off doesn't (which doesn't make sense, because both cause link failures).
Are you using the serial FO cable as well as the LAN?
-Bad Dos
- Thread starter
- #9
bad dos,
Tomorrow i will test with a switch and with a hub, but i don't believe that this should change anything...
I don't see what can be funky with the configuration, i am using a typical configuration provided by cisco, the only things that differ with the cisco reccomended configuration:
- failover poll time is set to 3 seconds.
- I am not using portfast on the the outside switches (but i don't think that this should change anything, since unplugging outside cables causes FO).
- I'm not using a switch or a hub to make the LAN FO.
- I am not using the Cisco FO serial cable, since i have more than 100 meters between the two units!
Thanks
HTY
Tomorrow i will test with a switch and with a hub, but i don't believe that this should change anything...
I don't see what can be funky with the configuration, i am using a typical configuration provided by cisco, the only things that differ with the cisco reccomended configuration:
- failover poll time is set to 3 seconds.
- I am not using portfast on the the outside switches (but i don't think that this should change anything, since unplugging outside cables causes FO).
- I'm not using a switch or a hub to make the LAN FO.
- I am not using the Cisco FO serial cable, since i have more than 100 meters between the two units!
Thanks
HTY
If you have 100 meters between the two PIX boxes, you should seriously consider using a hub or a switch to connect the two of them. This will make sure the cable has the proper power. I wouldn't use a regular crossover cable in a PC-PC configuration further than say 5 meters. A switcth-switch or hub-switch or hub-hub is a different story.
You should use portfast on all ports connecting to the PIXs'.
However, I don't think these should cause what you are having problems with.
You should use portfast on all ports connecting to the PIXs'.
However, I don't think these should cause what you are having problems with.
- Thread starter
- #11
Here is the configuration on the primary unit:
ip address inside x.x.x.150 255.255.255.0
ip address outside y.y.y.254 255.255.255.0
ip address fo z.z.z.177 255.255.255.248
ip address stateful-fo t.t.t.t 255.255.255.248
failover
failover timeout 0:00:00
failover poll 3
failover ip address inside x.x.x.151
failover ip address outside y.y.y.253
failover ip address fo z.z.z.178
failover ip address stateful-fo t.t.t.170
failover link stateful-fo
failover lan unit primary
failover lan interface fo
failover lan key ********
failover lan enable
An on the secondary unit:
ip address inside x.x.x.150 255.255.255.0
ip address outside y.y.y.254 255.255.255.0
ip address fo x.x.x.177 255.255.255.248
ip address stateful-fo x.x.x.169 255.255.255.248
failover
failover timeout 0:00:00
failover poll 3
failover ip address inside x.x.x.151
failover ip address outside y.y.y.253
failover ip address fo z.z.z.178
failover ip address stateful-fo t.t.t.170
failover link stateful-fo
failover lan unit secondary
failover lan interface fo
failover lan key ********
failover lan enable
HTY
ip address inside x.x.x.150 255.255.255.0
ip address outside y.y.y.254 255.255.255.0
ip address fo z.z.z.177 255.255.255.248
ip address stateful-fo t.t.t.t 255.255.255.248
failover
failover timeout 0:00:00
failover poll 3
failover ip address inside x.x.x.151
failover ip address outside y.y.y.253
failover ip address fo z.z.z.178
failover ip address stateful-fo t.t.t.170
failover link stateful-fo
failover lan unit primary
failover lan interface fo
failover lan key ********
failover lan enable
An on the secondary unit:
ip address inside x.x.x.150 255.255.255.0
ip address outside y.y.y.254 255.255.255.0
ip address fo x.x.x.177 255.255.255.248
ip address stateful-fo x.x.x.169 255.255.255.248
failover
failover timeout 0:00:00
failover poll 3
failover ip address inside x.x.x.151
failover ip address outside y.y.y.253
failover ip address fo z.z.z.178
failover ip address stateful-fo t.t.t.170
failover link stateful-fo
failover lan unit secondary
failover lan interface fo
failover lan key ********
failover lan enable
HTY
- Thread starter
- #12
I did the test:
a switch connecting the two PIX to make the LAN FO.
Portfast is enabled on all the ports connecting the two pix.
i have the same result :-(
When shutting down either of the 2 PIX, the other one sees that his peer is in a normal state!!!
A show failover on the secondary unit while the primary is shut down gives:
sh fail
Failover On
LAN-based Failover is Active
HTY
a switch connecting the two PIX to make the LAN FO.
Portfast is enabled on all the ports connecting the two pix.
i have the same result :-(
When shutting down either of the 2 PIX, the other one sees that his peer is in a normal state!!!
A show failover on the secondary unit while the primary is shut down gives:
sh fail
Failover On
LAN-based Failover is Active
HTY
- Thread starter
- #13
- Thread starter
- #15
- Thread starter
- #17
On the primary unit:
Failover On
Serial Failover Cable status: My side not connected
Reconnect timeout 0:00:00
Poll frequency 3 seconds
This host: Primary - Active
Active time: 3306 (sec)
Interface stateful-fo (t.t.t.169): Normal
Interface inside (x.x.x.150): Normal
Interface outside (y.y.y.254): Normal
Other host: Secondary - Standby
Active time: 3384 (sec)
Interface stateful-fo (t.t.t.170): Normal
Interface inside (x.x.x.151): Normal
Interface outside (y.y.y.253): Normal
Stateful Failover Logical Update Statistics
Link : stateful-fo
Stateful Obj xmit xerr rcv rerr
General 409 0 410 0
sys cmd 409 0 408 0
up time 0 0 2 0
xlate 0 0 0 0
tcp conn 0 0 0 0
udp conn 0 0 0 0
ARP tbl 0 0 0 0
RIP Tbl 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 1 410
Xmit Q: 0 1 409
LAN-based Failover is Active
interface fo (z.z.z.177): Normal, peer (z.z.z.178): Normal
On the secondary unit:
Failover On
Serial Failover Cable status: My side not connected
Reconnect timeout 0:00:00
Poll frequency 3 seconds
This host: Secondary - Standby
Active time: 3384 (sec)
Interface stateful-fo (t.t.t.170): Normal
Interface inside (x.x.x.151): Normal
Interface outside (y.y.y.253): Normal
Other host: Primary - Active
Active time: 2733 (sec)
Interface stateful-fo (t.t.t.169): Normal
Interface inside (x.x.x.150): Normal
Interface outside (y.y.y.254): Normal
Stateful Failover Logical Update Statistics
Link : stateful-fo
Stateful Obj xmit xerr rcv rerr
General 333 0 332 0
sys cmd 331 0 332 0
up time 2 0 0 0
xlate 0 0 0 0
tcp conn 0 0 0 0
udp conn 0 0 0 0
ARP tbl 0 0 0 0
RIP Tbl 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 1 332
Xmit Q: 0 1 333
LAN-based Failover is Active
interface fo (z.z.z.178): Normal, peer (z.z.z.177): Normal
HTY
Failover On
Serial Failover Cable status: My side not connected
Reconnect timeout 0:00:00
Poll frequency 3 seconds
This host: Primary - Active
Active time: 3306 (sec)
Interface stateful-fo (t.t.t.169): Normal
Interface inside (x.x.x.150): Normal
Interface outside (y.y.y.254): Normal
Other host: Secondary - Standby
Active time: 3384 (sec)
Interface stateful-fo (t.t.t.170): Normal
Interface inside (x.x.x.151): Normal
Interface outside (y.y.y.253): Normal
Stateful Failover Logical Update Statistics
Link : stateful-fo
Stateful Obj xmit xerr rcv rerr
General 409 0 410 0
sys cmd 409 0 408 0
up time 0 0 2 0
xlate 0 0 0 0
tcp conn 0 0 0 0
udp conn 0 0 0 0
ARP tbl 0 0 0 0
RIP Tbl 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 1 410
Xmit Q: 0 1 409
LAN-based Failover is Active
interface fo (z.z.z.177): Normal, peer (z.z.z.178): Normal
On the secondary unit:
Failover On
Serial Failover Cable status: My side not connected
Reconnect timeout 0:00:00
Poll frequency 3 seconds
This host: Secondary - Standby
Active time: 3384 (sec)
Interface stateful-fo (t.t.t.170): Normal
Interface inside (x.x.x.151): Normal
Interface outside (y.y.y.253): Normal
Other host: Primary - Active
Active time: 2733 (sec)
Interface stateful-fo (t.t.t.169): Normal
Interface inside (x.x.x.150): Normal
Interface outside (y.y.y.254): Normal
Stateful Failover Logical Update Statistics
Link : stateful-fo
Stateful Obj xmit xerr rcv rerr
General 333 0 332 0
sys cmd 331 0 332 0
up time 2 0 0 0
xlate 0 0 0 0
tcp conn 0 0 0 0
udp conn 0 0 0 0
ARP tbl 0 0 0 0
RIP Tbl 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 1 332
Xmit Q: 0 1 333
LAN-based Failover is Active
interface fo (z.z.z.178): Normal, peer (z.z.z.177): Normal
HTY
- Thread starter
- #19
stateful-fo is serving for the stateful failover, and has nothing to do with the lan failover.
I don't understand why i should change it.
I'm using PIX OS 6.2 (2), i'll test an upgrade to 6.3.1
I already noticed that you've a bad experience with this version
HTY
I don't understand why i should change it.
I'm using PIX OS 6.2 (2), i'll test an upgrade to 6.3.1
I already noticed that you've a bad experience with this version
HTY
I am running 6.3.1 right now. The problem I had w/ 6.3.1 is that you can't upgrade to the new version while the other pix is turned on. Their suppossed to fix that for the next version.
The reason why you should change that command, is because you don't have an interface named "fo" or at least what I could tell. You should set it to the correct interface name "stateful-fo".
-Bad Dos
The reason why you should change that command, is because you don't have an interface named "fo" or at least what I could tell. You should set it to the correct interface name "stateful-fo".
-Bad Dos
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question