rubbaninja
MIS
We had contractors place pixies out at a remote site.
Unfortunately, it did not come in house before going to the site so I didn't get to set it up.
Currently some traffic passes through the failover and I'm not sure why.
Hoping someone can lead me down the correct path so I can fix this once and for all.
First, this is the verbage from the admin out at the partner site:
A cross over cable is active between firewalls. The cable is connected to the 1st port (left side facing the back) of the 4 port ethernet module. The onboard 'Ethernet 1' is connected to the protected side of your network and 'Ethernet 0 is connected to the unprotected. The is a RS232 PIX failover cable connected between the firewalls.
And here is the config
PIX Version 6.3(1)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 failover security20
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
access-list acl-outside permit icmp any any unreachable
access-list acl-outside permit icmp any any echo-reply
access-list acl-outside permit icmp any any source-quench
access-list acl-outside permit icmp any any time-exceeded
access-list acl-outside deny icmp any any traceroute
access-list acl-outside permit ip any any
access-list acl-inside permit ip any any
ip address outside 10.10.251.2 255.255.255.0
ip address inside 172.65.1.254 255.255.255.0
ip address failover 172.65.254.1 255.255.255.0
no ip address intf3
no ip address intf4
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
failover
failover timeout 0:01:00
failover poll 15
failover ip address outside 10.10.251.3
failover ip address inside 172.65.1.253
failover ip address failover 172.65.254.2
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
failover link failover
failover lan unit primary
failover lan key ********
arp timeout 14400
global (outside) 1 10.20.0.1-10.20.255.254
nat (inside) 1 172.65.64.16 255.255.255.255 0 0
nat (inside) 1 172.65.64.17 255.255.255.255 0 0
nat (inside) 1 172.65.64.18 255.255.255.255 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 172.65.1.0 172.65.1.0 netmask 255.255.255.0 0 0
static (inside,outside) 10.99.100.11 172.15.23.17 netmask 255.255.255.255 0 0
static (inside,outside) 172.66.254.146 172.66.254.146 netmask 255.255.255.255 0 0
static (inside,outside) 172.15.21.50 172.15.21.50 netmask 255.255.255.255 0 0
static (inside,outside) 172.15.21.51 172.15.21.51 netmask 255.255.255.255 0 0
static (inside,outside) 10.99.100.16 172.15.21.103 netmask 255.255.255.255 0 0
static (inside,outside) 10.99.100.17 172.66.254.186 netmask 255.255.255.255 0 0
static (inside,outside) 172.15.64.30 172.15.64.30 netmask 255.255.255.255 0 0
access-group acl-outside in interface outside
access-group acl-inside in interface inside
route inside 0.0.0.0 0.0.0.0 172.65.1.1 1
route outside 10.200.0.0 255.255.0.0 10.10.251.2 1
route outside 10.10.251.1 255.255.255.255 10.10.251.2 1
route outside 10.10.251.33 255.255.255.255 10.10.251.2 1
route outside 10.10.251.43 255.255.255.255 10.10.251.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:30:00 udp 0:15:00 rpc 0:15:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute uauth 0:01:00 inactivity
floodguard enable
Hope that's enough information. I'm not sure what step to take to stop this from happening as it causes issues a lot of the time with connections that flow through the FO unit.
Oh and, just before writing this I noticed the failover timeout was set to 0:00:00. I've since changed it to 0:01:00.
Thanks!
Unfortunately, it did not come in house before going to the site so I didn't get to set it up.
Currently some traffic passes through the failover and I'm not sure why.
Hoping someone can lead me down the correct path so I can fix this once and for all.
First, this is the verbage from the admin out at the partner site:
A cross over cable is active between firewalls. The cable is connected to the 1st port (left side facing the back) of the 4 port ethernet module. The onboard 'Ethernet 1' is connected to the protected side of your network and 'Ethernet 0 is connected to the unprotected. The is a RS232 PIX failover cable connected between the firewalls.
And here is the config
PIX Version 6.3(1)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 failover security20
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
access-list acl-outside permit icmp any any unreachable
access-list acl-outside permit icmp any any echo-reply
access-list acl-outside permit icmp any any source-quench
access-list acl-outside permit icmp any any time-exceeded
access-list acl-outside deny icmp any any traceroute
access-list acl-outside permit ip any any
access-list acl-inside permit ip any any
ip address outside 10.10.251.2 255.255.255.0
ip address inside 172.65.1.254 255.255.255.0
ip address failover 172.65.254.1 255.255.255.0
no ip address intf3
no ip address intf4
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
failover
failover timeout 0:01:00
failover poll 15
failover ip address outside 10.10.251.3
failover ip address inside 172.65.1.253
failover ip address failover 172.65.254.2
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
failover link failover
failover lan unit primary
failover lan key ********
arp timeout 14400
global (outside) 1 10.20.0.1-10.20.255.254
nat (inside) 1 172.65.64.16 255.255.255.255 0 0
nat (inside) 1 172.65.64.17 255.255.255.255 0 0
nat (inside) 1 172.65.64.18 255.255.255.255 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 172.65.1.0 172.65.1.0 netmask 255.255.255.0 0 0
static (inside,outside) 10.99.100.11 172.15.23.17 netmask 255.255.255.255 0 0
static (inside,outside) 172.66.254.146 172.66.254.146 netmask 255.255.255.255 0 0
static (inside,outside) 172.15.21.50 172.15.21.50 netmask 255.255.255.255 0 0
static (inside,outside) 172.15.21.51 172.15.21.51 netmask 255.255.255.255 0 0
static (inside,outside) 10.99.100.16 172.15.21.103 netmask 255.255.255.255 0 0
static (inside,outside) 10.99.100.17 172.66.254.186 netmask 255.255.255.255 0 0
static (inside,outside) 172.15.64.30 172.15.64.30 netmask 255.255.255.255 0 0
access-group acl-outside in interface outside
access-group acl-inside in interface inside
route inside 0.0.0.0 0.0.0.0 172.65.1.1 1
route outside 10.200.0.0 255.255.0.0 10.10.251.2 1
route outside 10.10.251.1 255.255.255.255 10.10.251.2 1
route outside 10.10.251.33 255.255.255.255 10.10.251.2 1
route outside 10.10.251.43 255.255.255.255 10.10.251.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:30:00 udp 0:15:00 rpc 0:15:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute uauth 0:01:00 inactivity
floodguard enable
Hope that's enough information. I'm not sure what step to take to stop this from happening as it causes issues a lot of the time with connections that flow through the FO unit.
Oh and, just before writing this I noticed the failover timeout was set to 0:00:00. I've since changed it to 0:01:00.
Thanks!