[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 765
  • Last Modified:

PIX 515E Failover

Question for the experts:

I inherited two PIX 515E's in the environment in a active/passive failover.

Here is the config:
Primary:
Name: fw01
Ext: x.x.x.228
Int: 10.10.10.1

Standby:
fw02
Ext: x.x.x.229
Int: 10.10.10.2

I do all of the changes on fw01 and then do 'wr mem' and the changes appear on fw02. However, when I log in to 10.10.10.2 (which is fw02) it shows info for the primary unit: fw01 as a name, x.x.x.228 and 10.10.10.1 as its IPs.

The primary unit has Power, ACT and Network lights lit; the standby unit only has Power and Network lights lit which is correct.

The primary unit has the following lines in the config:
failover
failover timeout 0:00:00
failover poll 15
failover ip address outside x.x.x.229
failover ip address inside 10.10.10.2
failover ip address dmz 192.168.0.2
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
failover lan unit primary

The standby unit has the following lines in the config:
failover
failover timeout 0:00:00
failover poll 15
failover ip address outside x.x.x.229
failover ip address inside 10.10.10.2
failover ip address dmz 192.168.0.2
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5

I am assuming that the primary unit should have the line 'failover lan unit primary' where as the standby should not, correct?

Should the interface IPs be exactly the same on both firewalls? Nowhere on the standby unit it says that it is 10.10.10.2 or that it's external IP is x.x.x.229. Are there any non-intrusive commands I can run to verify that the failover is intact?

Also, when I log in to the standby firewall, should I get warned that any changes on this firewall will not take effect as it is managed by the primary firewall?

If you need more information, please don't hesitate to ask :)

Thanks much guys!

Marek
0
maredzki
Asked:
maredzki
  • 5
  • 4
  • 3
2 Solutions
 
maredzkiAuthor Commented:
Forgot to mention, the IOS is 6.3 (5)
0
 
debuggerauCommented:
might be worth upgrading, they are up to version 8 now..
0
Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

 
maredzkiAuthor Commented:
debuggerau, so you think the configuration is intact?
0
 
debuggerauCommented:
except the timeout could be set positive.
0
 
lrmooreCommented:
>Should the interface IPs be exactly the same on both firewalls?
No, they should be independent. When a failover happens, the secondary unit assumes the "primary" identity, IP's and all.

>Also, when I log in to the standby firewall, should I get warned that any changes on this firewall will not take effect as it is managed by the primary firewall?
Absolutely. You should only make changes on the primary.
0
 
maredzkiAuthor Commented:
Interesting, I am no longer warned on the standby PIX...

Also, sh run of the standby pix shows it has primary's PIX IP as it's outside interface and the name also reflects the primary PIX yet I am able to connect using the standby interface IP. Is that normal behavior?
0
 
lrmooreCommented:
Are you sure it did not failover?
Check status with "show failover"
0
 
maredzkiAuthor Commented:
I am pretty much sure as the ACT light on the standby is not lit.

I also just ran the command you noted in the previous comment and here are the results:

USILLAK1FW01# show failover
Failover On
Cable status: Normal
Reconnect timeout 0:00:00
Poll frequency 15 seconds
Last Failover at: 16:30:22 cst Mon Jun 16 2008
        This host: Primary - Active
                Active time: 27318450 (sec)
                Interface outside (x.x.x.228): Normal
                Interface inside (172.16.192.1): Normal
                Interface dmz (192.168.0.1): Normal
                Interface intf3 (0.0.0.0): Link Down (Shutdown)
                Interface intf4 (0.0.0.0): Link Down (Shutdown)
                Interface intf5 (0.0.0.0): Link Down (Shutdown)
        Other host: Secondary - Standby
                Active time: 0 (sec)
                Interface outside (x.x.x.229): Normal
                Interface inside (172.16.192.2): Normal
                Interface dmz (192.168.0.2): Normal
                Interface intf3 (0.0.0.0): Link Down (Shutdown)
                Interface intf4 (0.0.0.0): Link Down (Shutdown)
                Interface intf5 (0.0.0.0): Link Down (Shutdown)

Stateful Failover Logical Update Statistics
        Link : Unconfigured.

What do you think?

Thanks!
0
 
lrmooreCommented:
Looks good. The active and standby interfaces do, in fact, have different IP's, so that is good.
Everything looks normal.
0
 
debuggerauCommented:
No need to even increase the timeout either, not sure what mine was doing at 2.

Cisco recommends zero for compatibility, so stick with that..

0
 
maredzkiAuthor Commented:
Thank you!
0

Featured Post

Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

  • 5
  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now