PIx failover 520 to 515E

[NetworkDOC]

Just recently bought a 515E Failover edition. Put it in place and all works fine, for a while. I can do the show failover and it shows up as Primary (520) standby, Secondary (active). Then the roles flip around a while, from active/active, active/active failed, active/standby failed etc. The users complain of dropped connections. For example when it flips the failover state around and I have a Citrix connection up, it drops it then reconnects, then drops repeatedly.

This is a fairly new failover pix (3-4 months old). We moved the company during this time and the secondary pix was off. If it's off all works great. Once it comes up it will begin to act ugly. Yesterday I did a faliover reset and this seemed to clear things up for a while but then it started it again.

Any ideas? I included the states at different intervals. These were captured over a few minutes. Also the ips have been change to protect the innocent....

ON the PRimary PIX

sh failover
Failover On
Cable status: Normal
Reconnect timeout 0:00:00
Poll frequency 15 seconds
Last Failover at: 01:00:59 UTC Wed May 10 2006
This host: Primary - Standby (the 520 pix)
Active time: 720 (sec)
Interface outside (0.0.0.0): Normal (Waiting)
Interface inside (0.0.0.0): Normal (Waiting)
Interface DMZ (0.0.0.0): Normal (Waiting)
Other host: Secondary - Active (the 515 Pix)
Active time: 75 (sec)
Interface outside (16.2.166.2): Normal (Waiting)
Interface inside (10.0.0.232): Normal (Waiting)
Interface DMZ (10.10.1.1): Normal (Waiting)

Stateful Failover Logical Update Statistics
Link : Unconfigured.
Failover config as seen on the primary pix

failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address DMZ

After setting it to active failover from "primary"

Failover On
Cable status: Other side powered off
Reconnect timeout 0:00:00
Poll frequency 15 seconds
Last Failover at: 01:29:01 UTC Wed May 10 2006
This host: Primary - Active
Active time: 960 (sec)
Interface outside (16.2.166.2): Normal (Waiting)
Interface inside (10.0.0.1): Normal (Waiting)
Interface DMZ (10.10.1.1): Normal (Waiting)
Other host: Secondary - Standby
Active time: 510 (sec)
Interface outside (0.0.0.0): Unknown (Waiting)
Interface inside (0.0.0.0): Unknown (Waiting)
Interface DMZ (0.0.0.0): Unknown (Waiting)

Stateful Failover Logical Update Statistics
Link : Unconfigured.

After typing in at the "secondary" no failover active

Reconnect timeout 0:00:00
Poll frequency 15 seconds
Last Failover at: 12:00:54 UTC Tue May 9 2006
This host: Secondary - Active
Active time: 450 (sec)
Interface outside (16.2.166.2): Normal (Waiting)
Interface inside (10.0.0.1): Normal (Waiting)
Interface DMZ (10.10.1.1): Normal (Waiting)
Interface intf3 (0.0.0.0): Link Down (Shutdown)
Interface intf4 (0.0.0.0): Link Down (Shutdown)
Interface intf5 (0.0.0.0): Link Down (Shutdown)
Other host: Primary - Standby (Failed)
Active time: 1185 (sec)
Interface outside (0.0.0.0): Normal (Waiting)
Interface inside (0.0.0.0): Normal (Waiting)
Interface DMZ (0.0.0.0): Normal (Waiting)
Interface intf3 (0.0.0.0): Unknown (Shutdown)
Interface intf4 (0.0.0.0): Unknown (Shutdown)
Interface intf5 (0.0.0.0): Unknown (Shutdown)

Stateful Failover Logical Update Statistics
Link : Unconfigured.

on the "primary" at the console:
sh failover
Failover On
Cable status: Normal
Reconnect timeout 0:00:00
Poll frequency 15 seconds
Last Failover at: 01:36:14 UTC Wed May 10 2006
This host: Primary - Active
Active time: 1260 (sec)
Interface outside (16.2.166.2): Normal (Waiting)
Interface inside (10.0.0.1): Normal (Waiting)
Interface DMZ (10.10.1.1): Normal (Waiting)
Other host: Secondary - Active
Active time: 480 (sec)
Interface outside (0.0.0.0): Normal (Waiting)
Interface inside (0.0.0.0): Normal (Waiting)
Interface DMZ (0.0.0.0): Normal (Waiting)

Stateful Failover Logical Update Statistics
Link : Unconfigured.

Then it changed to:
Failover On
Cable status: Normal
Reconnect timeout 0:00:00
Poll frequency 15 seconds
Last Failover at: 01:36:14 UTC Wed May 10 2006
This host: Primary - Active
Active time: 1365 (sec)
Interface outside (16.2.166.2): Normal (Waiting)
Interface inside (10.0.0.1): Normal (Waiting)
Interface DMZ (10.10.1.1): Normal (Waiting)
Other host: Secondary - Standby
Active time: 555 (sec)
Interface outside (0.0.0.0): Normal (Waiting)
Interface inside (0.0.0.0): Normal (Waiting)
Interface DMZ (0.0.0.0): Normal (Waiting)

Stateful Failover Logical Update Statistics
Link : Unconfigured.

 

[Supergrrover]

NetworkDoc,
Did this ever work or has it been a problem from the start? Are the PIXs identical down to the RAM and flash size? If so, can you post some config's?






Brent
Systems Engineer / Consultant
CCNP

 

[NetworkDOC]

Cannot say they ever worked for sure. They are not exactly identical. I noticed yesteday that the ram on the 520 is 64 mb the 515 is 128, I need to check the flash. The images are of course the same.

Here is a cleaned config from the Primary PIX.

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security10
hostname PIX
domain-name beammeupscotty.com
no fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.10.10.24 SRV01
name 10.10.10.13 SRV02
name 10.10.10.14 SRV03
name 10.10.10.15 SRV04
access-list 1 permit tcp host 10.10.10.0 host 0.0.0.255
access-list 101 permit ip 10.15.1.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list 101 permit ip 10.10.10.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list 101 permit ip 10.10.10.0 255.255.255.0 10.0.5.0 255.255.255.0
access-list 101 permit ip host 6.112.6.162 10.0.5.0 255.255.255.0
access-list 101 permit ip 10.0.5.0 255.255.255.0 15.63.2.0 255.255.255.192
access-list outside permit icmp any any
access-list outside permit tcp any host 6.112.6.164 eq www
access-list outside permit tcp any host 6.112.6.165 eq www
access-list outside permit tcp any host 6.112.6.167 eq 14000
access-list outside permit tcp any host 6.112.6.163 eq www
access-list outside permit tcp any host 6.112.6.167 eq www
access-list WEBDMZ permit ip any any
access-list WEBDMZ permit icmp any any
access-list ipsec permit ip 10.10.10.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list ipsec permit ip 10.10.10.0 255.255.255.0 10.0.3.0 255.255.255.0
access-list nonat permit ip 10.10.10.0 255.255.255.0 10.0.5.0 255.255.255.0
access-list nonat permit ip 10.10.10.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list nonat permit ip 10.10.10.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list nonat permit ip 10.10.10.0 255.255.255.0 10.0.3.0 255.255.255.0
access-list 105 permit ip host 6.112.6.162 10.0.5.0 255.255.255.0
access-list 105 permit ip 10.0.5.0 255.255.255.0 15.63.2.0 255.255.255.192
access-list 105 permit ip host 10.10.10.176 10.0.5.0 255.255.255.0
access-list 105 permit icmp any any
no pager
logging on
logging buffered errors
logging trap debugging
logging host inside 10.10.10.2
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 6.112.6.162 255.255.255.240
ip address inside 10.10.10.1 255.255.255.0
ip address DMZ 10.15.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 172.16.100.1-172.16.100.100
failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address DMZ
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (DMZ) 1 10.15.1.0 255.255.255.0 0 0
static (inside,DMZ) 10.10.10.0 10.10.10.0 netmask 255.0.0.0 0 0
static (DMZ,outside) 6.112.6.164 10.15.1.177 netmask 255.255.255.255 0 0
static (inside,outside) 66.152.3.245 SRV02 netmask 255.255.255.255 0 0
static (inside,outside) 6.112.6.167 10.10.10.244 netmask 255.255.255.255 0 0
static (inside,outside) 6.112.6.163 10.10.10.248 netmask 255.255.255.255 0 0
access-group outside in interface outside
access-group WEBDMZ in interface DMZ
route outside 0.0.0.0 0.0.0.0 6.112.6.161 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.10.10.100 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address ipsec
crypto map mymap 10 set peer 28.77.174.26
crypto map mymap 10 set transform-set myset
crypto map mymap 20 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp key hidden address 28.77.174.26 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpnClients address-pool ippool
vpngroup vpnClients default-domain beammeupscotty.com
vpngroup vpnClients split-tunnel 101
vpngroup vpnClients idle-time 1800
vpngroup vpnClients password hidden
vpngroup vpnclients dns-server 10.10.10.28
vpngroup vpnclients default-domain beammeupscotty.local
vpngroup vpnclients idle-time 1800
telnet 10.10.10.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
management-access inside
console timeout 0
dhcpd dns 10.10.10.28
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
: end

 

[Supergrrover]

I didn't catch that you had different PIX units. My understanding from cisco when I asked was that you needed identical units. (515e to 515 wouldn't work even if everything else was the same.) They said identical down to the flash and RAM size. They didn't tell me what would happen if I connected two different systems for failover just that it was bad.

This seems to support this.

http://www.ciscopress.com/articles/article.asp?p=24686

If somebody knows a way around this, I would sure like to know as well.

If you have enough interfaces, you can set it up for stateful failover, although I think there will still be problems if it is constanly switching the active role.

http://www.cisco.com/warp/public/110/failover.html#backinfo

Brent
Systems Engineer / Consultant
CCNP

 

[NetworkDOC]

I double checked. It is a 515 the failover is a 515E, I had another system in mind when I wrote that evidently.

I read the article, good read. I had called cisco in advance and they told me it would work before we got it. I called back today and the guy told me that it won't work. The 515e isn't compatible with the 515.

So I guess that answers the question...

Thank a lot for your help.

 

[Supergrrover]

Sorry about the news. I had the same situation, but the company had already purchased the new PIX. You might get Cisco to help out since they gave you incorrect info at first.(always worth a try) Or you might hit up ebay and offset your cost.


Brent
Systems Engineer / Consultant
CCNP