True the cable is what determines the Primary, refer to the label. It is a
proprietary Cisco 25 pin cable that is used to send config updates back and
forth nothing more. State information is transferred via a dedicated
ethernet cross-over cable (If installed). Hello Heartbeats are sent out
every interface and must be acknowledge or the unit will begin a self test.
The command show failover has the following output:
Failover On
Cable status: Normal
Reconnect timeout 0:00:00
This host: Primary - Active
Active time: 9747255 (sec)
Interface dmz (*.*.*.*): Normal
Interface vpn (*.*.*.*): Normal
Interface outside (*.*.*.*): Normal
Interface inside (*.*.*.*): Normal
Other host: Secondary - Standby
Active time: 1318935 (sec)
Interface dmz (*.*.*.*): Normal
Interface vpn (*.*.*.*): Normal
Interface outside (*.*.*.*): Normal
Interface inside (*.*.*.*): Normal
Stateful Failover Logical Update Statistics
Link : Unconfigured.
IP Addresses have been removed, but they will switch when the state changes
from active to standby.
This can cause a problem if both units are connected to a switch, the
devices will be available for about 60 seconds while the MAC address
times-out. In this case I would recommend a dedicated Hub to connect the two
internal interfaces to, to shorten the length of time required for failover.
This can also be accomplished by shortening the forward-delay timer on the
switch. You might also note, we are not currently using the "Stateful
Failover". Check the following link for more info,
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v51/config/ind
ex.htm
Ken Claussen MCSE CCNA CCA
[EMAIL PROTECTED]
"The Mind is a Terrible thing to Waste!"
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Michael Zoetmulder
Sent: Tuesday, January 23, 2001 9:26 AM
To: Gerakaris, Kostas
Cc: 'Firewalls List'
Subject: Re:
Hi there
I believe that the markings on the failover cable let you determine which is
which.
In other words, the PIX connected to the end of the cable marked secondary ,
is the secondary firewall.
Regards
Michael
----- Original Message -----
From: "Gerakaris, Kostas" <[EMAIL PROTECTED]>
To: "'Volker Tanger'" <[EMAIL PROTECTED]>
Cc: "'Firewalls List'" <[EMAIL PROTECTED]>
Sent: Tuesday, January 23, 2001 2:07 PM
Subject: RE:
> What i meant was that Cisco has a policy that the secondary PIX can be
> bought
> at a lower price, but cannot act on its own as a primary.
> We cannot tell which of the two that came is the secondary.
>
> -----Original Message-----
> From: Volker Tanger [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, January 23, 2001 4:03 PM
> To: Gerakaris, Kostas
> Cc: 'Firewalls List'
> Subject: Re:
>
>
> Greetings!
>
> "Gerakaris, Kostas" schrieb:
>
> > We just purchased in our company two new PIX firewalls 525 in failover
> > state.
> > How can we understand which one is the primary and which the secondary?
> > The secondary is not supposed to be able to operate on its own.
>
> It is - else it would not be able to do all the work if the primary fails.
> Basically both will be configured (nearly) identically. I personally do
not
> know the PIX, but I guess you meant that the administration will be done
on
> the primary machine and then replicated automagically to the secondary.
>
> Bye
> Volker
>
> --
>
> Volker Tanger <[EMAIL PROTECTED]>
> Wrangelstr. 100, 10997 Berlin, Germany
> DiSCON GmbH - Internet Solutions
> http://www.discon.de/
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
