Failover PIX problem

Posted on 2007-07-29
Medium Priority
Last Modified: 2010-04-09
Dear All,

I have failover PIX, 515e, they were working very fine, and I never touched them except for access list, opening ports, NATing...etc

yesterday I faced a problem with them, one of the ethernet cable going from one of the PIXs to the outside switch was blinkng orange and green, and all the communication was disconnecting and not stable, and I noticed that if I shut down both of the pix and start them again, they will be ok and the first one will be active for (5-15)mins, then the second pix will be the active one, and the disconnecting problem appears once the second one come active,

I dont know what to do, I shut down the second one, every thing is ok except telneting to the PIXs, and now i am in this situation because I dont need the users to feel the problem.  

Please help me
Question by:Saed80
LVL 16

Expert Comment

ID: 19590988
Sounds like a normal duplex mismatch if the lights are flashing like that. Have you checked the config that the failover ports on both PIXes are set to the same setting (ideally 100/full)?

Accepted Solution

markyzinho earned 2000 total points
ID: 19591561
Hi Saed,

If your secondary PIX is taking over the failover mode then it could be related to a few possible problems.  I would not rule out the simple options first.  Check that the cables are connected correctly to your switch, and then read htrough the following article.

You should double check that the secondary PIX has not been set to active, and that the time is syncronized on both boxes.

Let me know how you get on.
LVL 32

Expert Comment

ID: 19591747
If it is a cisco switch and the switch light goes from gree to orange and back again it could be problems with the firewall nic or the switch port. Can you post the output of the "show interface <your_firewall_interface _port>"


Author Comment

ID: 19597986
actually i found that the ethernet cable going from the secondary PIX to the core switch has a problem, after i changed the cable everything is great, but the port flashing still sometimes happening, but without any effect. but sure i need to solve it.

and thank u markyzinho for that article, its really great.

here is the output of the show interface (port):
interface ethernet0 "outside" is up, line protocol is up
  Hardware is i82559 ethernet, address is 0012.1cc9.c217
  IP address, subnet mask
  MTU 1500 bytes, BW 100000 Kbit full duplex
        4753251 packets input, 2277700540 bytes, 0 no buffer
        Received 72 broadcasts, 3404 runts, 0 giants
        22382 input errors, 18978 CRC, 0 frame, 0 overrun, 18978 ignored, 0 abort
        3714646 packets output, 1509689664 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        0 lost carrier, 0 no carrier
        input queue (curr/max blocks): hardware (128/128) software (0/47)
        output queue (curr/max blocks): hardware (0/33) software (0/1)

thanks for all of you.

Expert Comment

ID: 19605286

No problem. You would be surprised how many times I have found a simple solution like a faulty cable after hours of debugging the firewall.  Glad I could help.

I would suggest that you attempt some tests (during an out of hours time or maintenance window) of the failover function and switch on syslog to troubleshoot any errors that happen during the switch from one box to the other.

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes Administrators rights are not enough. These cases call for the SYSTEM account. The process in this article outlines the steps required to execute commands using the SYSTEM account.
When you put your credit card number into a website for an online transaction, surely you know to look for signs of a secure website such as the padlock icon in the web browser or the green address bar.  This is one way to protect yourself from oth…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question