Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX525 FailBundle - stateful failover not working

Status
Not open for further replies.
THEGOODS

THEGOODS

Technical User
Aug 7, 2003
5
US
Problem: Both interfaces are stuck in “Link Down (Waiting)”

Description: Pair of 525s; Primary has UR license, and Sec has FO; CAT5 cross-over connecting both eth5 ports, which are forced to 100full.

Pertinent config:
interface ethernet5 100full
nameif ethernet5 StateFail security25
ip address StateFail 192.168.75.254 255.255.255.252
failover ip address StateFail 192.168.75.253
failover link StateFail
 
Sort by date Sort by votes
Cross-Over is suppossed to be half duplex.

Also, how long is the cross-over cable?
 
Upvote 0 Downvote
I don’t know why I had that forced, but thank you for reminding me. Both interfaces are now at 100-half, but the link is still Down (Waiting). The cable is 5 feet long, and I have tried two. I think you are on the right track, because the interface line protocol is down as well. Am I overlooking something simple?
 
Upvote 0 Downvote
The first three TAC authored docs I read listed the following:

“Stateful Failover requires 100 Mbps Ethernet interface to be used exclusively for passing state information between the two PIX Firewall units. This interface can be connected to any of the following:
· Cat 5 crossover cable directly connecting the Primary unit to the Secondary unit.
· 100BaseTX half duplex hub using straight Cat 5 cables.
· 100BaseTX full duplex on a dedicated switch or dedicated VLAN of a switch.”

This is why I thought nothing of using the cross-over cable. The most recent doc I found states:
“The minimum connection speed for a Stateful Failover link is 100 Mbps full-duplex.”

As such I have migrated to a 3512XL with all links forced to 100-full. Sadly the two PIX interfaces’ line protocol remains down.
 
Upvote 0 Downvote
The switchports show: up, line protocol is up
The PIX eth interfaces show: up, line protocol is down
 
Upvote 0 Downvote
I moved the config onto another interface, but am getting the same results:

interface ethernet4 100full
nameif ethernet4 StateFail security25
ip address statefail 192.168.75.254 255.255.255.252
failover ip address statefail 192.168.75.253
failover link statefail
 
Upvote 0 Downvote
Have you tried auto? Also, If I'm doing my math right, that IP address isn't valid for a host. Try this configuration.

interface ethernet4 auto
nameif ethernet4 statefail security25
ip address statefail 192.168.75.253 255.255.255.252
failover ip address statefail 192.168.75.254
failover link statefail
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

disturbedone
  • Locked
  • Question
proxy.pac not working correctly in IE11
Replies
0
Views
168
disturbedone
disturbedone
TierOneTech
  • Locked
  • Question
TZ105 - can I define a second WAN interface for failover?
Replies
1
Views
123
jcarmichael1203
jcarmichael1203
gbayi_omo
  • Locked
  • Question
Cisco ASA 5505 not allowing access to highest security zone
Replies
0
Views
135
gbayi_omo
gbayi_omo
MartinUMBT
  • Locked
  • Question
Failover / Load Balancing Interface that are not WAN
Replies
0
Views
102
MartinUMBT
MartinUMBT
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
163
brownmab53
brownmab53

Part and Inventory Search

Sponsor

Back
Top