RE: PIX failover
If you do sh ver from enable mode you get :- PIX_TH_BB# sh ver PIX Version 4.4(4) Compiled on Thu 06-Jan-00 16:07 by pixbuild PIX BIOS (4.0) #0: Tue May 18 16:29:54 PDT 1999 PIX_TH_BB up 104 days 21 hours Hardware: PIX-515, 64 MB RAM, CPU Pentium 200 MHz Flash strata @ base 0x300 0: ethernet0: address is 0050.54ff.382e, irq 9 1: ethernet1: address is 0050.54ff.382f, irq 7 Licensed Options: Failover: Enabled IPSec: Disabled Ports allowed: 6 Serial Number: 1234567890 -- Two things that say its a UnRestricted pix. 1) 64Meg of Ram - Restricted pix has only 32meg 2) the Failover option is enabled If you have a Restricted and buy the upgrade you get 32meg of ram and a software patch. Hope this helps Andrew -Original Message- From: Florin Mechetiuc [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 02, 2001 3:22 PM To: [EMAIL PROTECTED] Subject: PIX failover I have couple of 520 firewalls ordered a while back but I don't know if is a way to check if they are in failover bundle. To be more specific , I have one up and running but I would like to install the failover and I don't which one is ( I have other three ordered for other projects). I think it might be a way of checking on Cisco's website by having the serial number of the main firewall and then I can get the the serial number of the failover. Thanks and Happy New Year ! Florin Mechetiuc [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX failover
Of course the REAL test is to unplug one of them once you are certain it is configured properly to test the failover and see first hand how it reacts by viewing the routes, protocols and translations to verify that all is working according to plan. Then failover again just to return to the original and prove that it will return after the initial failure has been resolved. Put your results into your operating manual(s) for future reference. -Original Message- From: Andrew Twigger [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 02, 2001 9:55 AM To: 'Florin Mechetiuc'; [EMAIL PROTECTED] Subject: RE: PIX failover If you do sh ver from enable mode you get :- PIX_TH_BB# sh ver PIX Version 4.4(4) Compiled on Thu 06-Jan-00 16:07 by pixbuild PIX BIOS (4.0) #0: Tue May 18 16:29:54 PDT 1999 PIX_TH_BB up 104 days 21 hours Hardware: PIX-515, 64 MB RAM, CPU Pentium 200 MHz Flash strata @ base 0x300 0: ethernet0: address is 0050.54ff.382e, irq 9 1: ethernet1: address is 0050.54ff.382f, irq 7 Licensed Options: Failover: Enabled IPSec: Disabled Ports allowed: 6 Serial Number: 1234567890 -- Two things that say its a UnRestricted pix. 1) 64Meg of Ram - Restricted pix has only 32meg 2) the Failover option is enabled If you have a Restricted and buy the upgrade you get 32meg of ram and a software patch. Hope this helps Andrew -Original Message- From: Florin Mechetiuc [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 02, 2001 3:22 PM To: [EMAIL PROTECTED] Subject: PIX failover I have couple of 520 firewalls ordered a while back but I don't know if is a way to check if they are in failover bundle. To be more specific , I have one up and running but I would like to install the failover and I don't which one is ( I have other three ordered for other projects). I think it might be a way of checking on Cisco's website by having the serial number of the main firewall and then I can get the the serial number of the failover. Thanks and Happy New Year ! Florin Mechetiuc [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX failover
PIX 520's don't have a R or UR version they all support failover. ""Florin Mechetiuc"" <[EMAIL PROTECTED]> wrote in message 92svsr$482$[EMAIL PROTECTED]">news:92svsr$482$[EMAIL PROTECTED]... > I have couple of 520 firewalls ordered a while back but I don't know if is a > way to check > if they are in failover bundle. > To be more specific , I have one up and running but I would like to install > the failover and I don't which one is ( I have other three > ordered for other projects). I think it might be a way of checking on > Cisco's website by having the serial number of the main firewall and > then I can get the the serial number of the failover. > > > > Thanks and Happy New Year ! > > > Florin Mechetiuc > [EMAIL PROTECTED] > > > _ > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX failover redundancy
Statefull failover can be doen if any interface on the PIX goes down. Each interface needs to be able to talk to the other interface on the second pix. So the inside on the primary has to be able to communicate with the inside on the secondary, DMZ to DMZ etc. and for statefull fail there has to be one dedicated ethernet port that simply connects the 2 pix's as well as the blue serial cable that connects the 2 pix's together. With statefull failover either all the interfaces need to be configured for failover or none of them. You cannot selectively put intewrfaces in or out of failover. It's the whole pix or not. You can have up to 6 and maybe even 8 now configured on the pix in a stateful failover with the 5.x code. -Original Message- From: mak [mailto:[EMAIL PROTECTED]] Sent: Monday, January 08, 2001 10:37 PM To: [EMAIL PROTECTED] Subject: PIX failover redundancy Hi all, I configure the two PIX with failover function. Is it once there is a link (in, out or DMZ) connected to PIX is going down, then the failover would be activated? Is it I can only configure one instance for each interface (in, out and DMZ) on one PIX? If so, why PIX 520 has six slots, if there are only three interfaces to be activated? Thanks Regards, mak _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Pix Failover Question
It sounds like they're both identical. That's good. Do you have ALL the interfaces in an UP state? and each pair of interfaces are on the same hub? A down interface will be considered a failure Both configs are identical? You power cycled both boxes at the same time? Rodgers Moore ""BE"" <[EMAIL PROTECTED]> wrote in message 8pt9cl$t1g$[EMAIL PROTECTED]">news:8pt9cl$t1g$[EMAIL PROTECTED]... > Hey gang! Any Pix gurus out there? > > I've been playing with a couple of Pixs (510s) trying to get the failover to > work. I thought it would be a piece of cake, but it just isn't showing me > any love. Ive got (2) Pix 510s that each have 3 NICs in them (internal, > untrusted, DMZ) each running 4.4. Everything seems all fine and dandy until > about 10 minutes later when the standby PIX starts stealing the DMZ > connections. > > Any thoughts? > > -Brad > bellis@opts ys.net > > used cisco hardware: www.opt sys.net > cisco hardware newsgroup: news://news.opts ys.net/cisco.hardware > > > **NOTE: New CCNA/CCDA List has been formed. For more information go to > http://www.groupstudy.com/list/Associates.html > _ > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > FAQ, list archives, and subscription info: http://www.groupstudy.com > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Pix Failover Question
Rodgers, Hi! Thanks for your response. The answer is YES to all of your questions. The really strange thing is, when I leave the single PIX 510 running for an extended period of time, it works great, no problems. When I add the second PIX, it just seems to grab the DMZ connection (but leaves the other two connections alone). My original guess was that there is some strange bug in 4.4 somewhere that I havent seen. Both boxes have the same config (and are sync'd up). -B ""Rodgers Moore"" <[EMAIL PROTECTED]> wrote in message 8ptbav$4fn$[EMAIL PROTECTED]">news:8ptbav$4fn$[EMAIL PROTECTED]... > It sounds like they're both identical. That's good. > Do you have ALL the interfaces in an UP state? and each pair of interfaces > are on the same hub? > > A down interface will be considered a failure > > Both configs are identical? You power cycled both boxes at the same time? > > Rodgers Moore > > ""BE"" <[EMAIL PROTECTED]> wrote in message 8pt9cl$t1g$[EMAIL PROTECTED]">news:8pt9cl$t1g$[EMAIL PROTECTED]... > > Hey gang! Any Pix gurus out there? > > > > I've been playing with a couple of Pixs (510s) trying to get the failover > to > > work. I thought it would be a piece of cake, but it just isn't showing me > > any love. Ive got (2) Pix 510s that each have 3 NICs in them (internal, > > untrusted, DMZ) each running 4.4. Everything seems all fine and dandy > until > > about 10 minutes later when the standby PIX starts stealing the DMZ > > connections. > > > > Any thoughts? > > > > -Brad > > bellis@opts ys.net > > > > used cisco hardware: www.opt sys.net > > cisco hardware newsgroup: news://news.opts ys.net/cisco.hardware > > > > > > **NOTE: New CCNA/CCDA List has been formed. For more information go to > > http://www.groupstudy.com/list/Associates.html > > _ > > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > > FAQ, list archives, and subscription info: http://www.groupstudy.com > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > > > > > **NOTE: New CCNA/CCDA List has been formed. For more information go to > http://www.groupstudy.com/list/Associates.html > _ > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > FAQ, list archives, and subscription info: http://www.groupstudy.com > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Pix Failover Question
A co-worker has seen this and it is a bug. He didn't remember the version number(s) affected. Rodgers Moore ""BE"" <[EMAIL PROTECTED]> wrote in message 8ptc7v$7a1$[EMAIL PROTECTED]">news:8ptc7v$7a1$[EMAIL PROTECTED]... > Rodgers, > > Hi! Thanks for your response. > > The answer is YES to all of your questions. The really strange thing is, > when I leave the single PIX 510 running for an extended period of time, it > works great, no problems. When I add the second PIX, it just seems to grab > the DMZ connection (but leaves the other two connections alone). My > original guess was that there is some strange bug in 4.4 somewhere that I > havent seen. > > Both boxes have the same config (and are sync'd up). > > -B > ""Rodgers Moore"" <[EMAIL PROTECTED]> wrote in message > 8ptbav$4fn$[EMAIL PROTECTED]">news:8ptbav$4fn$[EMAIL PROTECTED]... > > It sounds like they're both identical. That's good. > > Do you have ALL the interfaces in an UP state? and each pair of interfaces > > are on the same hub? > > > > A down interface will be considered a failure > > > > Both configs are identical? You power cycled both boxes at the same time? > > > > Rodgers Moore > > > > ""BE"" <[EMAIL PROTECTED]> wrote in message 8pt9cl$t1g$[EMAIL PROTECTED]">news:8pt9cl$t1g$[EMAIL PROTECTED]... > > > Hey gang! Any Pix gurus out there? > > > > > > I've been playing with a couple of Pixs (510s) trying to get the > failover > > to > > > work. I thought it would be a piece of cake, but it just isn't showing > me > > > any love. Ive got (2) Pix 510s that each have 3 NICs in them (internal, > > > untrusted, DMZ) each running 4.4. Everything seems all fine and dandy > > until > > > about 10 minutes later when the standby PIX starts stealing the DMZ > > > connections. > > > > > > Any thoughts? > > > > > > -Brad > > > bellis@opts ys.net > > > > > > used cisco hardware: www.opt sys.net > > > cisco hardware newsgroup: news://news.opts ys.net/cisco.hardware > > > > > > > > > **NOTE: New CCNA/CCDA List has been formed. For more information go to > > > http://www.groupstudy.com/list/Associates.html > > > _ > > > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > > > FAQ, list archives, and subscription info: http://www.groupstudy.com > > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > > > > > > > > > **NOTE: New CCNA/CCDA List has been formed. For more information go to > > http://www.groupstudy.com/list/Associates.html > > _ > > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > > FAQ, list archives, and subscription info: http://www.groupstudy.com > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > > > > > > > **NOTE: New CCNA/CCDA List has been formed. For more information go to > http://www.groupstudy.com/list/Associates.html > _ > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > FAQ, list archives, and subscription info: http://www.groupstudy.com > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Pix Failover Question
Brad, If the DMZ interface is not being used at the moment you need to connect any unused interfaces to the same unused interfaces on the standby PIX with a crossover cable. Dave Swink > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > BE > Sent: Friday, September 15, 2000 8:44 AM > To: [EMAIL PROTECTED] > Subject: Pix Failover Question > > > Hey gang! Any Pix gurus out there? > > I've been playing with a couple of Pixs (510s) trying to get the > failover to > work. I thought it would be a piece of cake, but it just isn't showing me > any love. Ive got (2) Pix 510s that each have 3 NICs in them (internal, > untrusted, DMZ) each running 4.4. Everything seems all fine and > dandy until > about 10 minutes later when the standby PIX starts stealing the DMZ > connections. > > Any thoughts? > > -Brad > bellis@opts ys.net > > used cisco hardware: www.opt sys.net > cisco hardware newsgroup: news://news.opts ys.net/cisco.hardware > > > **NOTE: New CCNA/CCDA List has been formed. For more information go to > http://www.groupstudy.com/list/Associates.html > _ > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > FAQ, list archives, and subscription info: http://www.groupstudy.com > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX failover!! [7:15848]
Hi, It is the cable only that selects the primary or secondary (it is even written on the cable). You make the configuration on the primary, and this will be sigronized with the secondary. Hope this helps, bye, ""Magdy H. Ibrahim"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Dear All, > > Sorry for the stupid question but I want to confirm it. > > I have to configure my PIX 515UR bundle... > How can I know the primary unit from the secondary unit?? > Is that from the failover cable only OR there is an other thing marked the > unit as primary or secondary??? > Please advice me soon,,, > > Regards,,, > > Magdy Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=15856&t=15848 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX failover!! [7:15848]
I believe that the serial numbers will be registered as to whether it is UR or a failover. Both will work as stand-alone firewalls. Yes, the failover cable will determine which will be primary and which will be secondary. Once they are configured: show failover will show you which PIX is primary and which is secondary. Thanks, MikeN ""Magdy H. Ibrahim"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Dear All, > > Sorry for the stupid question but I want to confirm it. > > I have to configure my PIX 515UR bundle... > How can I know the primary unit from the secondary unit?? > Is that from the failover cable only OR there is an other thing marked the > unit as primary or secondary??? > Please advice me soon,,, > > Regards,,, > > Magdy Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=15953&t=15848 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX failover!! [7:15848]
And keep in mind this Primary/Secondary business is completely separate from which firewall is Active and which is Standby. The Active/Standby question is the more important one. MikeN wrote: > I believe that the serial numbers will be registered as to whether it is UR > or a failover. Both will work as stand-alone firewalls. Yes, the failover > cable will determine which will be primary and which will be secondary. Once > they are configured: show failover will show you which PIX is primary and > which is secondary. > > Thanks, > MikeN > > ""Magdy H. Ibrahim"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Dear All, > > > > Sorry for the stupid question but I want to confirm it. > > > > I have to configure my PIX 515UR bundle... > > How can I know the primary unit from the secondary unit?? > > Is that from the failover cable only OR there is an other thing marked the > > unit as primary or secondary??? > > Please advice me soon,,, > > > > Regards,,, > > > > Magdy Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=18209&t=15848 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX Failover [7:51491]
In a stateful config, this is done by the standby PIX. It sends hello packets and runs the interface tests to the active pix and when it doesn't recieves any response it takes the role of the active pix. TCP and UDP connections will be maintained but not the IPSec and ICMP. - Original Message - From: "Leo Song" To: Sent: Thursday, August 15, 2002 9:21 PM Subject: PIX Failover [7:51491] > Hi, > > In a Stataful configuration, and two PIX are interconnected via a > dedicated Failover Fastethernet, in case of the Active unit's Internal > interface fails, is there any method to shift traffic to the Standby > unit's Internal interface to maintain connectivity, thanks. > > Leo > Best Regards. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=51493&t=51491 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX Failover [7:51491]
In article , [EMAIL PROTECTED] says... > Hi, > > In a Stataful configuration, and two PIX are interconnected via a > dedicated Failover Fastethernet, in case of the Active unit's Internal > interface fails, is there any method to shift traffic to the Standby > unit's Internal interface to maintain connectivity, thanks. > > Leo > Best Regards. Not sure what you mean there. That's what failover does unless I'm misunderstanding your question. You configure the main IP address for the interface and you configure a failover address. If the Pix's decide that the active one has a problem (power,interface down etc) the secondary pix takes over the main IP address. If the primary is still contactable it will have the failover IP address on its inside interface. That's why it's safe to telnet to the main IP address and you know that you're on the active Pix, but by console you need to do a show fail to make sure the device you're on is primary active or secondary active before you make changes. Regards, Gaz Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=51497&t=51491 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX Failover [7:51491]
Speaking of stateful PIX's, if I make a change on 1 PIX, and it has failover on, will it automatically make a change on the other PIX? ""Gaz"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > In article , [EMAIL PROTECTED] > says... > > Hi, > > > > In a Stataful configuration, and two PIX are interconnected via a > > dedicated Failover Fastethernet, in case of the Active unit's Internal > > interface fails, is there any method to shift traffic to the Standby > > unit's Internal interface to maintain connectivity, thanks. > > > > Leo > > Best Regards. > Not sure what you mean there. That's what failover does unless I'm > misunderstanding your question. > > You configure the main IP address for the interface and you configure a > failover address. If the Pix's decide that the active one has a problem > (power,interface down etc) the secondary pix takes over the main IP > address. > If the primary is still contactable it will have the failover IP address > on its inside interface. > > That's why it's safe to telnet to the main IP address and you know that > you're on the active Pix, but by console you need to do a show fail to > make sure the device you're on is primary active or secondary active > before you make changes. > > Regards, > > Gaz Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=51520&t=51491 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX Failover [7:51491]
Whenever you type a command on the active unit it's being replicated to the standby unit. So yes, it will automatically update standby unit but it's not written to memory unless you write to memory on the active first. ""Steven A. Ridder"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Speaking of stateful PIX's, if I make a change on 1 PIX, and it has failover > on, will it automatically make a change on the other PIX? > > > ""Gaz"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > In article , [EMAIL PROTECTED] > > says... > > > Hi, > > > > > > In a Stataful configuration, and two PIX are interconnected via a > > > dedicated Failover Fastethernet, in case of the Active unit's Internal > > > interface fails, is there any method to shift traffic to the Standby > > > unit's Internal interface to maintain connectivity, thanks. > > > > > > Leo > > > Best Regards. > > Not sure what you mean there. That's what failover does unless I'm > > misunderstanding your question. > > > > You configure the main IP address for the interface and you configure a > > failover address. If the Pix's decide that the active one has a problem > > (power,interface down etc) the secondary pix takes over the main IP > > address. > > If the primary is still contactable it will have the failover IP address > > on its inside interface. > > > > That's why it's safe to telnet to the main IP address and you know that > > you're on the active Pix, but by console you need to do a show fail to > > make sure the device you're on is primary active or secondary active > > before you make changes. > > > > Regards, > > > > Gaz Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=51521&t=51491 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX Failover [7:51491]
yes, it will sync automatically, or you can force it with "write standby" HTH, ms --- "Steven A. Ridder" wrote: > Speaking of stateful PIX's, if I make a change on 1 > PIX, and it has failover > on, will it automatically make a change on the other > PIX? > > > ""Gaz"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > In article , [EMAIL PROTECTED] > > says... > > > Hi, > > > > > > In a Stataful configuration, and two PIX are > interconnected via a > > > dedicated Failover Fastethernet, in case of the > Active unit's Internal > > > interface fails, is there any method to shift > traffic to the Standby > > > unit's Internal interface to maintain > connectivity, thanks. > > > > > > Leo > > > Best Regards. > > Not sure what you mean there. That's what failover > does unless I'm > > misunderstanding your question. > > > > You configure the main IP address for the > interface and you configure a > > failover address. If the Pix's decide that the > active one has a problem > > (power,interface down etc) the secondary pix takes > over the main IP > > address. > > If the primary is still contactable it will have > the failover IP address > > on its inside interface. > > > > That's why it's safe to telnet to the main IP > address and you know that > > you're on the active Pix, but by console you need > to do a show fail to > > make sure the device you're on is primary active > or secondary active > > before you make changes. > > > > Regards, > > > > Gaz [EMAIL PROTECTED] __ Do You Yahoo!? HotJobs - Search Thousands of New Jobs http://www.hotjobs.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=51524&t=51491 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX Failover cable [7:18001]
I believe it's part number PIX-FO= or you could buy it as LD-FO= since it is the same cable for the LocalDirector. Mark Smith wrote: > Does anyone have the part number for the failover cable for a 515 PIX. Mine > went MIA during a company move. I can't find on Cisco's or any vendor's site > where I can order just the cable by itself. A part number would be really > nice. Next best thing would be the pin out for the cable so I could (maybe) > modify a standard cable. Couldn't find that either. > > Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=18021&t=18001 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX failover problem [7:56199]
I think you've got your config correct, when any of the interfaces go down on the active PIX it will switch into standby. So when you reboot the standby it will cause this to happen, the documentation does say you should use a separate switch for the failover NICs which should prevent this, http://www.cisco.com/warp/customer/110/failover.html . Do you use a failover cable as well, I would have thought the primary would prevent the failover but I'm not 100 percent sure. Cheers Pat ""Vamsi Krishna"" wrote in message news:200210241235.MAA05012@;groupstudy.com... > Hi, >We are facing a strange problem with PIX failover. We have two PIX = > 525 (OS 6.0.1) in failover configuration. When the standby PIX is = > rebooted for maintenance reasons, it came up and became the Active PIX = > (which should not happen). The active PIX showed stateful failover link = > failed and so the PIX was in failed state. Both the PIX are connected = > through a stateful failover link (100Mbps) using a Crossover cable.=20 >Is it a problem because both the PIX are connected using a crossover = > cable? Is it recommended to connect through a switch? Has anyone faced a = > similar problem? > > Regards, > Vamsi > **Disclaimer > > Information contained in this E-MAIL being proprietary to Wipro Limited is > 'privileged' and 'confidential' and intended for use only by the individual > or entity to which it is addressed. You are notified that any use, copying > or dissemination of the information contained in the E-MAIL in any manner > whatsoever is strictly prohibited. > > *** Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=56216&t=56199 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX failover problem [7:56199]
Hi Pat, I have got the correct configuration as mentioned in Cisco. I too think the primary PIX fails as the failover link goes into failed state as the secondary is down and secondary PIX will become active as the primary is in failed state. Has anyone faced this problem ? What is the normal practice of connecting PIX in failover configuration ? through cross over cable or through a separate switch ? Pls reply. Regards, Vamsi - Original Message - From: "Patrick Donlon" To: Sent: Thursday, October 24, 2002 4:11 PM Subject: Re: PIX failover problem [7:56199] > I think you've got your config correct, when any of the interfaces go down > on the active PIX it will switch into standby. So when you reboot the > standby it will cause this to happen, the documentation does say you should > use a separate switch for the failover NICs which should prevent this, > http://www.cisco.com/warp/customer/110/failover.html . Do you use a > failover cable as well, I would have thought the primary would prevent the > failover but I'm not 100 percent sure. > > Cheers > > Pat > > ""Vamsi Krishna"" wrote in message > news:200210241235.MAA05012@;groupstudy.com... > > Hi, > >We are facing a strange problem with PIX failover. We have two PIX = > > 525 (OS 6.0.1) in failover configuration. When the standby PIX is = > > rebooted for maintenance reasons, it came up and became the Active PIX = > > (which should not happen). The active PIX showed stateful failover link = > > failed and so the PIX was in failed state. Both the PIX are connected = > > through a stateful failover link (100Mbps) using a Crossover cable.=20 > >Is it a problem because both the PIX are connected using a crossover = > > cable? Is it recommended to connect through a switch? Has anyone faced a = > > similar problem? > > > > Regards, > > Vamsi > > **Disclaimer > > > > Information contained in this E-MAIL being proprietary to Wipro Limited is > > 'privileged' and 'confidential' and intended for use only by the > individual > > or entity to which it is addressed. You are notified that any use, > copying > > or dissemination of the information contained in the E-MAIL in any manner > > whatsoever is strictly prohibited. > > > > > *** **Disclaimer Information contained in this E-MAIL being proprietary to Wipro Limited is 'privileged' and 'confidential' and intended for use only by the individual or entity to which it is addressed. You are notified that any use, copying or dissemination of the information contained in the E-MAIL in any manner whatsoever is strictly prohibited. *** Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=56219&t=56199 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX failover problem [7:56199]
Vamsi, I used the cable provided by Cisco to connect 2 525s through the failover ports and it's been working fine. Even though I don't know the answer but I don't think it's a good idea to connect 2 pixes through a switch. Good luck. Vamsi Krishna wrote:Hi Pat, I have got the correct configuration as mentioned in Cisco. I too think the primary PIX fails as the failover link goes into failed state as the secondary is down and secondary PIX will become active as the primary is in failed state. Has anyone faced this problem ? What is the normal practice of connecting PIX in failover configuration ? through cross over cable or through a separate switch ? Pls reply. Regards, Vamsi - Original Message - From: "Patrick Donlon" To: Sent: Thursday, October 24, 2002 4:11 PM Subject: Re: PIX failover problem [7:56199] > I think you've got your config correct, when any of the interfaces go down > on the active PIX it will switch into standby. So when you reboot the > standby it will cause this to happen, the documentation does say you should > use a separate switch for the failover NICs which should prevent this, > http://www.cisco.com/warp/customer/110/failover.html . Do you use a > failover cable as well, I would have thought the primary would prevent the > failover but I'm not 100 percent sure. > > Cheers > > Pat > > ""Vamsi Krishna"" wrote in message > news:200210241235.MAA05012@;groupstudy.com... > > Hi, > > We are facing a strange problem with PIX failover. We have two PIX = > > 525 (OS 6.0.1) in failover configuration. When the standby PIX is = > > rebooted for maintenance reasons, it came up and became the Active PIX = > > (which should not happen). The active PIX showed stateful failover link = > > failed and so the PIX was in failed state. Both the PIX are connected = > > through a stateful failover link (100Mbps) using a Crossover cable.=20 > > Is it a problem because both the PIX are connected using a crossover = > > cable? Is it recommended to connect through a switch? Has anyone faced a = > > similar problem? > > > > Regards, > > Vamsi > > **Disclaimer > > > > Information contained in this E-MAIL being proprietary to Wipro Limited is > > 'privileged' and 'confidential' and intended for use only by the > individual > > or entity to which it is addressed. You are notified that any use, > copying > > or dissemination of the information contained in the E-MAIL in any manner > > whatsoever is strictly prohibited. > > > > > *** **Disclaimer Information contained in this E-MAIL being proprietary to Wipro Limited is 'privileged' and 'confidential' and intended for use only by the individual or entity to which it is addressed. You are notified that any use, copying or dissemination of the information contained in the E-MAIL in any manner whatsoever is strictly prohibited. *** Do you Yahoo!? Y! Web Hosting - Let the expert host your web site Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=56274&t=56199 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX failover problem [7:56199]
Hi Mike, Have you tried rebooting the Secondary PIX and check if the primary is active and after the rebooted pix comesup ? What is OS version of your PIX ? Vamsi - Original Message - From: "mike Dang" To: Sent: Friday, October 25, 2002 1:02 PM Subject: Re: PIX failover problem [7:56199] > Vamsi, > I used the cable provided by Cisco to connect 2 525s through the failover > ports and it's been working fine. Even though I don't know the answer but I > don't think it's a good idea to connect 2 pixes through a switch. > Good luck. > Vamsi Krishna wrote:Hi Pat, > I have got the correct configuration as mentioned in Cisco. I too think > the primary PIX fails as the failover link goes into failed state as the > secondary is down and secondary PIX will become active as the primary is in > failed state. > Has anyone faced this problem ? What is the normal practice of > connecting PIX in failover configuration ? through cross over cable or > through a separate switch ? > Pls reply. > > Regards, > Vamsi > - Original Message - > From: "Patrick Donlon" > To: > Sent: Thursday, October 24, 2002 4:11 PM > Subject: Re: PIX failover problem [7:56199] > > > > I think you've got your config correct, when any of the interfaces go down > > on the active PIX it will switch into standby. So when you reboot the > > standby it will cause this to happen, the documentation does say you > should > > use a separate switch for the failover NICs which should prevent this, > > http://www.cisco.com/warp/customer/110/failover.html . Do you use a > > failover cable as well, I would have thought the primary would prevent the > > failover but I'm not 100 percent sure. > > > > Cheers > > > > Pat > > > > ""Vamsi Krishna"" wrote in message > > news:200210241235.MAA05012@;groupstudy.com... > > > Hi, > > > We are facing a strange problem with PIX failover. We have two PIX = > > > 525 (OS 6.0.1) in failover configuration. When the standby PIX is = > > > rebooted for maintenance reasons, it came up and became the Active PIX = > > > (which should not happen). The active PIX showed stateful failover link > = > > > failed and so the PIX was in failed state. Both the PIX are connected = > > > through a stateful failover link (100Mbps) using a Crossover cable.=20 > > > Is it a problem because both the PIX are connected using a crossover > = > > > cable? Is it recommended to connect through a switch? Has anyone faced a > = > > > similar problem? > > > > > > Regards, > > > Vamsi > > > **Disclaimer > > > > > > Information contained in this E-MAIL being proprietary to Wipro Limited > is > > > 'privileged' and 'confidential' and intended for use only by the > > individual > > > or entity to which it is addressed. You are notified that any use, > > copying > > > or dissemination of the information contained in the E-MAIL in any > manner > > > whatsoever is strictly prohibited. > > > > > > > > > *** > **Disclaimer > > Information contained in this E-MAIL being proprietary to Wipro Limited is > 'privileged' and 'confidential' and intended for use only by the individual > or entity to which it is addressed. You are notified that any use, copying > or dissemination of the information contained in the E-MAIL in any manner > whatsoever is strictly prohibited. > > *** > Do you Yahoo!? > Y! Web Hosting - Let the expert host your web site **Disclaimer Information contained in this E-MAIL being proprietary to Wipro Limited is 'privileged' and 'confidential' and intended for use only by the individual or entity to which it is addressed. You are notified that any use, copying or dissemination of the information contained in the E-MAIL in any manner whatsoever is strictly prohibited. *** Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=56287&t=56199 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX failover problem [7:56199]
Hi Vamsi, If you are using a cross over cable for state ful failover, make sure the interface speeds and duplex are matched on both PIXs. Do not leave them to autonegotiate. Such conditions usually occur, when the secondary unit is unable to detect the primary unit and therefore assumes itself to be active. You can check it by "show failover" command. Make sure that both PIX can see each other. regards, Nadeem. ""Vamsi Krishna"" wrote in message news:200210251610.QAA06470@;groupstudy.com... > Hi Mike, > Have you tried rebooting the Secondary PIX and check if the primary is > active and after the rebooted pix comesup ? What is OS version of your PIX ? > > Vamsi > - Original Message - > From: "mike Dang" > To: > Sent: Friday, October 25, 2002 1:02 PM > Subject: Re: PIX failover problem [7:56199] > > > > Vamsi, > > I used the cable provided by Cisco to connect 2 525s through the failover > > ports and it's been working fine. Even though I don't know the answer but > I > > don't think it's a good idea to connect 2 pixes through a switch. > > Good luck. > > Vamsi Krishna wrote:Hi Pat, > > I have got the correct configuration as mentioned in Cisco. I too think > > the primary PIX fails as the failover link goes into failed state as the > > secondary is down and secondary PIX will become active as the primary is > in > > failed state. > > Has anyone faced this problem ? What is the normal practice of > > connecting PIX in failover configuration ? through cross over cable or > > through a separate switch ? > > Pls reply. > > > > Regards, > > Vamsi > > - Original Message - > > From: "Patrick Donlon" > > To: > > Sent: Thursday, October 24, 2002 4:11 PM > > Subject: Re: PIX failover problem [7:56199] > > > > > > > I think you've got your config correct, when any of the interfaces go > down > > > on the active PIX it will switch into standby. So when you reboot the > > > standby it will cause this to happen, the documentation does say you > > should > > > use a separate switch for the failover NICs which should prevent this, > > > http://www.cisco.com/warp/customer/110/failover.html . Do you use a > > > failover cable as well, I would have thought the primary would prevent > the > > > failover but I'm not 100 percent sure. > > > > > > Cheers > > > > > > Pat > > > > > > ""Vamsi Krishna"" wrote in message > > > news:200210241235.MAA05012@;groupstudy.com... > > > > Hi, > > > > We are facing a strange problem with PIX failover. We have two PIX = > > > > 525 (OS 6.0.1) in failover configuration. When the standby PIX is = > > > > rebooted for maintenance reasons, it came up and became the Active PIX > = > > > > (which should not happen). The active PIX showed stateful failover > link > > = > > > > failed and so the PIX was in failed state. Both the PIX are connected > = > > > > through a stateful failover link (100Mbps) using a Crossover cable.=20 > > > > Is it a problem because both the PIX are connected using a crossover > > = > > > > cable? Is it recommended to connect through a switch? Has anyone faced > a > > = > > > > similar problem? > > > > > > > > Regards, > > > > Vamsi > > > > > **Disclaimer > > > > > > > > Information contained in this E-MAIL being proprietary to Wipro > Limited > > is > > > > 'privileged' and 'confidential' and intended for use only by the > > > individual > > > > or entity to which it is addressed. You are notified that any use, > > > copying > > > > or dissemination of the information contained in the E-MAIL in any > > manner > > > > whatsoever is strictly prohibited. > > > > > > > > > > > > > > *** > > **Disclaimer > > > > Information contained in this E-MAIL being proprietary to Wipro Limited is > > 'privileged' and 'confidential' and intended for use only by the > individual > > or entity to which it is addressed. You are notified that any use, copying > > or dissemination of the information contained in the E-MAIL in any manner > >
