Link to home
Create AccountLog in
Avatar of adrianjfx
adrianjfxFlag for Bahamas

asked on

Resetting PIX Failover

Since the upgrade of my pix from 6.3 to 7.2 the FO doesn't seem to notice the UR and since goes into active mode i have an active/active liscense on my UR. I think it was something of redoing a crypto key any ideas?
Avatar of mkielar
mkielar
Flag of United States of America image

Make sure the cable between the two is working properly. If it's not, both will come up as active/active.
If it truly is a liscensing issue, you might have to open a TAC case.

Here is some more helpful failover info:  http://www.ciscopress.com/articles/article.asp?p=24686

Fail Back
Fail back is the term used to describe the action of restoring PIX operation from the Secondary-Active back to the Primary-Failed PIX. Fail back to the primary unit is not automatically forced, as there is no reason to switch active and standby roles. When a failed primary unit is repaired and brought back on line, it does not automatically resume as the active unit. To force a unit to be the active unit, use the failover active command on the Primary-Standby unit or the no failover active command on the Secondary-Active unit.

The results of issuing the failover active vary depending on whether Failover or Stateful Failover are configured.

If Stateful Failover is used, connection state information is passed from the active unit to the standby unit.

In Failover mode, state information is not tracked and sessions must be reestablished by applications. This means all active connections are dropped after a switchover.

This section discusses the differences between failover and stateful failover modes.

As stated earlier, failover enables the standby PIX Firewall to take over the duties of the active PIX Firewall when the active PIX Firewall fails. There are two types of failover:

FailoverWhen the active PIX Firewall fails and the standby PIX Firewall becomes active, all connections are lost and client applications must initiate a new connection to restart communication through the PIX Firewall. The disconnection occurs because the standby PIX Firewall has no facility to receive connection information from the active PIX Firewall. The channel provided by the failover cable lacks the bandwidth necessary to maintain state synchronization between the tw PIX's.

Stateful failoverWhen the active PIX Firewall fails and the standby PIX Firewall becomes active, the same connection information is available at the new active PIX Firewall, and end-user applications are not required to do a reconnect to keep the same communication session. The connections remain because the stateful failover feature passes per-connection stateful information to the standby PIX Firewall. The TCP connection table (except http) is synchronized with the Secondary PIX over the interface chosen for Statefull Failover.

Stateful failover requires a 100 Mbps Ethernet interface on each PIX to be used exclusively for passing state information between the two PIX Firewalls. These interfaces can be connected by any of the following:

Category 5 crossover cable directly connecting the primary PIX Firewall to the secondary PIX Firewall (100Mb half or full duplex)

100BaseTX half-duplex hub using straight Category 5 cables

100BaseTX full duplex on a dedicated switch or dedicated virtual LAN (VLAN) of a switch using straight Category 5 cables.
Avatar of adrianjfx

ASKER

My primary Failover settings

failover
failover lan unit primary
failover lan interface failan Ethernet3
failover lan enable
failover polltime unit 12 holdtime 36
failover replication http
failover link failan Ethernet3
failover interface ip failan 10.20.100.1 255.255.255.0 standby 10.20.100.2


My Secondary Failover Settings

failover
failover lan unit secondary
failover lan interface failan Ethernet3
failover lan enable
failover polltime unit 12 holdtime 36
failover replication http
failover link failan Ethernet3
failover interface ip failan 10.20.100.1 255.255.255.0 standby 10.20.100.2

My Primary Sh Version

Licensed features for this platform:
Maximum Physical Interfaces : 6        
Maximum VLANs               : 25        
Inside Hosts                : Unlimited
Failover                    : Active/Active
VPN-DES                     : Enabled  
VPN-3DES-AES                : Enabled  
Cut-through Proxy           : Enabled  
Guards                      : Enabled  
URL Filtering               : Enabled  
Security Contexts           : 2        
GTP/GPRS                    : Disabled  
VPN Peers                   : Unlimited

This platform has an Unrestricted (UR) license.

May Secondary Sh Version
Licensed features for this platform:
Maximum Physical Interfaces : 6        
Maximum VLANs               : 25        
Inside Hosts                : Unlimited
Failover                    : Active/Standby
VPN-DES                     : Enabled  
VPN-3DES-AES                : Disabled  
Cut-through Proxy           : Enabled  
Guards                      : Enabled  
URL Filtering               : Enabled  
Security Contexts           : 2        
GTP/GPRS                    : Disabled  
VPN Peers                   : Unlimited

This platform has a Failover Only-Active/Standby (FO) license.

I can ping on my outside address but i can't on my inside address the interface is in the same vlan as the
Primary and i cannot ping from it and status says interface and protocol up
and since i am using ASDM to configure with a mix of command line i find it confusing
I have a crossover cable between the PIXs and this again was something was was working before on version 6.3
I noticed the activation keys are difference between the UR and FO
And the failover modes are different

this is the configuration of the failover ethernet same between both PIX's

interface Ethernet3
 description LAN/STATE Failover Interface
 speed 100
 duplex full

When i try to enable  the failan lan interface on PIX FO
i get
Mate's liscense (VPN-3DES-AES Enabled) is not compatible with my liscense (VPN-3DES-AES Disabled). Failover will be disabled
So I Guess that is my problem what is my resolution?
ASKER CERTIFIED SOLUTION
Avatar of adrianjfx
adrianjfx
Flag of Bahamas image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Ok reset the activation key but now i am getting this error.
========================= NOTICE =========================
               This platform is licensed to run in
                  failover secondary mode only
   ==========================================================

        Detected an Active mate
Beginning configuration replication from mate.
WARNING: tunnel-group <G.H.I.46> does not exist
End configuration replication from mate.
Cryptochecksum: 5d3f10c3 892c7187 7ab4a6a8 3064eaeb

14242 bytes copied in 0.420 secs
Beginning configuration replication from mate.
WARNING: tunnel-group <G.H.I.46> does not exist
End configuration replication from mate.
There seems to be some issue with my inside interface any suggestions
this is for my internal network so if doesn't work failover is kind of pointless

I can ping from the other interfaces on the PIX FO outside dmz etc but i can't ping through the inside interface not even the ip configured on interface this solution will conclude my issue with failover

As is follows my failover is now working with the new activation key on the PIX FO
Failover On
Cable status: N/A - LAN-based failover enabled
Failover unit Primary
Failover LAN Interface: failan Ethernet3 (up)
Unit Poll frequency 12 seconds, holdtime 36 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 250 maximum
failover replication http
Version: Ours 7.2(3), Mate 7.2(3)
Last Failover at: 15:47:24 EST Mar 7 2008
      This host: Primary - Active
            Active time: 11112 (sec)
              Interface outside (A.B.C.162): Normal
              Interface inside (10.168.4.4): Normal (Waiting)
              Interface dmz (10.250.100.1): Normal
              Interface wifi_guest (172.16.50.1): Normal (Not-Monitored)
              Interface intf5 (0.0.0.0): Link Down (Not-Monitored)
      Other host: Secondary - Standby Ready
            Active time: 0 (sec)
              Interface outside (A.B.C.163): Normal
              Interface inside (10.168.4.2): Normal (Waiting)
              Interface dmz (10.250.100.2): Normal
              Interface wifi_guest (172.16.50.3): Normal (Not-Monitored)
              Interface intf5 (0.0.0.0): Normal (Not-Monitored)

Stateful Failover Logical Update Statistics
      Link : failan Ethernet3 (up)
      Stateful Obj       xmit       xerr       rcv        rerr      
      General            24051      0          313        0        
      sys cmd        314        0          313        0        
      up time        0          0          0          0        
      RPC services        0          0          0          0        
      TCP conn       17244      0          0          0        
      UDP conn       2339       0          0          0        
      ARP tbl        4144       0          0          0        
      Xlate_Timeout        0          0          0          0        
      VPN IKE upd       5          0          0          0        
      VPN IPSEC upd       5          0          0          0        
      VPN CTCP upd       0          0          0          0        
      VPN SDI upd       0          0          0          0        
      VPN DHCP upd       0          0          0          0        

      Logical Update Queue Information
                    Cur       Max       Total
      Recv Q:       0       4       313
      Xmit Q:       0       4       29203
anyone have any help why the inside interface of my PIX is not responding to pings and not even to it own interface see  the issue in my above posts thanks
Sorry for the delay. Do you have management-access inside configured on that pix? It does seem like things should be working fine now from the snippet above.
The simplest problem the cable was bad and once i changed it, it came up.sometimes you just have to check the things you don't expect to fail even thought they have been working