Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX 515E with failover primary set as failover

Status
Not open for further replies.
MichealC4

MichealC4

Programmer
Jun 26, 2003
457
Here's what's going on.

The primary pix, which as a UR license is set to be failover. The pix with the failover license is set to be the primary. The DHCP servers are set to issue the gateway address for the failover firewall which is set to be the primary. So basically the firewall with the failover license is actually passing traffic. We already know that it isn't syncing correctly, but could this cause problems? If it is not of immediate concern then we know we need to look elsewhere to resolve the problems, but I was wondering if this could cause problems. I don't know why it was set up this way, but if I need to fix it, I will.

----------------------------
"Will work for bandwidth" - Thinkgeek T-shirt
 
Sort by date Sort by votes
Can you post the config, or confirm if you mean what I think here, your interfaces are getting their IP Address from DHCP?

Thanks

AJ

===

Fatman Superstar (Andrew James)

CCNA
 
Upvote 0 Downvote
No, the firewall interfaces have static IP addresses. The clients get their IP addresses from DHCP.

On the firewall that has a UR license, it has been set in the configuration to be the failover device. The firewall that has the failover license is set to be the primary. So the roles have been reversed.

I have already talked to Cisco though and they said it shouldn't cause problems.

----------------------------
"Will work for bandwidth" - Thinkgeek T-shirt
 
Upvote 0 Downvote
The pix with the UR license should be the primary and the failover pix the secondary. The failover license is a limited functionality license and is not meant to remain the primary.

The PIX Firewall failover unit is intended to be used solely for failover and not in standalone mode. If a failover unit is used in standalone mode, the unit will reboot at least once every 24 hours until the unit is returned to failover duty. When the unit reboots, the following message displays at the console.

=========================NOTICE ==========================
This machine is running in secondary mode without
a connection to an active primary PIX. Please
check your connection to the primary system.

REBOOTING....
==========================================================

and it will also not replicate the commands over the fialove link.


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Okay. I posted this before I contacted Cisco. Cisco told me that though it should be set properly (which I think we can all agree on that), it won't cause problems. I'm not sure why it was set that way, but it is. So you are telling me that it will cause problems? The Cisco tech did say that the failover would reboot every 24 hours, but if the two are running as a pair, it won't cause problems. I'm not sure he's correct, so I just want to make sure.

----------------------------
"Will work for bandwidth" - Thinkgeek T-shirt
 
Upvote 0 Downvote
I have only set this up twice but when I had cisco on the phone, they said that the UR pix should be the primary and it will failover to the FO pix. Once my UR was fixed, I should fail it backover so that the UR is the active firewall. It may have changed with a newer software version since I did this.

I can't say that it "will" cause problems, but it might. What sync prolems are you experiencing? How is the failover setup (cable based, lan based - crossover, LAN/switch?)


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Absolutely no syncing is occurring between the two. The failover is setup cable-based.

----------------------------
"Will work for bandwidth" - Thinkgeek T-shirt
 
Upvote 0 Downvote
Easier said than done I'm afraid. But I'll talk to my boss again.

----------------------------
"Will work for bandwidth" - Thinkgeek T-shirt
 
Upvote 0 Downvote
Well if it is not working, then you can't do that much harm. :)

Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
TheFireman2
  • Locked
  • Question
Help with Watchguard Firebox M200 setup as a TMG 2010 replacement with ASA 5515 as main firewall
Replies
1
Views
321
hairlessupportmonkey
hairlessupportmonkey
TierOneTech
  • Locked
  • Question
TZ105 - can I define a second WAN interface for failover?
Replies
1
Views
210
jcarmichael1203
jcarmichael1203
texwiz
  • Locked
  • Question
need some help to properly set up, segregate and secure a network with an ASA 5505
Replies
2
Views
298
texwiz
texwiz
ISDPCMAN
  • Locked
  • Question
Cannot connect to TZ-215 Sonicwall appliance with web browser!
Replies
0
Views
239
ISDPCMAN
ISDPCMAN

Part and Inventory Search

Sponsor

Back
Top