Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX 520 failover failed, network time out 1

Status
Not open for further replies.
shihlin

shihlin

MIS
Dec 6, 2004
45
US
I have very strange question regards to Cisco PIX Failover. I had 2 PIX 520, Primary and Secondary. Just couple months ago, Primary PIX is having some hardware issues and we take it down for in house repair. After we finish repair the PIX, we went a head and put it back online. However, the Internet connection failed right after: Synch Completed between Secondary (Active) to Primary (Standby). The interest thing is I am able to ping the INSIDE interface while both PIX are on and plug-in but other interface is timing out and failed. I make sure both PIX had similar configuration. Except some commands in Secondary (Active) PIX but not in Primary (Standby) PIX, such as Object-group, Access-list, pdm location, and some static route commands. I also verify failover by issues show failover to verify the failover function. All the outputs are shows correctly in failover, Secondary: Active, Primary: Standby and interfaces are in Normal status. However, just right after Secondary synch with Primary, my internet will fail (ping time out to public ip address), I restart both PIX several times but it does not help, the only way for me to bring back the network is disable the failover and take down the Primary PIX. I troubleshoot with cisco failover doc, but does not help: Any suggestions are greatly appreciates.

Thanks,

SL
 
Sort by date Sort by votes
What did you mean by in house repair? What version are you running on both firewalls? Can the Primary work as a standalone device?
 
Upvote 0 Downvote
Thanks for promptly reply. The in house repair means I change the motherboard (same model and manufacture as the one pull out from PIX) and power supply. I let it runs for days and seem to be working fine with no error. Both PIXs are running in PIX version 6.3(3) with failover option enable. Actually the firewall failover works before primary had hardware problem and during the repair on Primary I only fix the hardware and leaves software / configuration un-touch. I haven’t tried to let Primary to act as standalone on the network, but I did turn off the Secondary: Active and failover to Primary (show failover shows Primary become active) but still not work. It still stops the Internet for some reason. In general, if I attach the Primary on the network the Internet will fail but INSIDE interface had no problem.

Thanks,


SL
 
Upvote 0 Downvote
Can you try to put the primary as a stand alone unit and see if it works correctly? The activation key is based on the PIX serial number so if the inhouse repair affected the serial number it could be the reason for this abnormal behaviour. The first part would be to make sure the primary can work as a stand alone PIX.
 
Upvote 0 Downvote
Thanks for reply. I will try it and post my result here.

Thanks again,


SL
 
Upvote 0 Downvote
It finally works. This is how I did it.

1. I changed failover serial cable order by making Secondary to Primary and Primary (the one take down for repaired) to become Secondary.
2. Erase Secondary PIX (was Primary) configuration.
3. Connect all cables (5 cables) includes failover Ethernet cable.
4. Power-on Secondary PIX with no configuration. After secondary is on re-active Primary PIX (was Secondary) failover.
5. Auto synchronized started.
6. Save both Primary and Standby configuration.


Thanks,


SL
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

ciscokid1984
  • Locked
  • Question
Watchguard RDP from external network
Replies
1
Views
333
hairlessupportmonkey
hairlessupportmonkey
acabezas2014
  • Locked
  • Question
Configuring ASA for Network Segmentation
Replies
1
Views
386
acabezas2014
acabezas2014
jsaad
  • Locked
  • Question
udp timer
Replies
0
Views
545
jsaad
jsaad
xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
190
xwray
xwray
TierOneTech
  • Locked
  • Question
TZ105 - can I define a second WAN interface for failover?
Replies
1
Views
210
jcarmichael1203
jcarmichael1203

Part and Inventory Search

Sponsor

Back
Top