Re: [fw-wiz] Question on PIX replication

From: "Farrukh Haroon" <farrukhharoon@xxxxxxxxx>
Date: Sat, 6 Sep 2008 13:07:28 +0300

This happened to me while working for one customer. It appeared to be a
combination of failover link problems and perhaps even a software bug. I had
to clear both boxes (write erase) and reload the configurations.

You can run the 'debug fover ...' commands to get more meaningful results as
to what exactly is going wrong.
(But please be careful on a production environment with regards to turning
on debugs)

Regards

Farrukh

On Wed, Aug 20, 2008 at 11:23 PM, Steven Pfister <SPfister@xxxxxxxxxxxxx>wrote:

I've got a pair of PIX 525 in an active/standby configuration. I recently
made some fairly large configuration changes to the active pix. Ever since
then, I'm getting some errors when writing the config to the standby unit.
The error looks something like:

"At <date/time>, this active PIX was sending it configuration to the
standby PIX and would not properly accept
configuration changes. After this PIX notifies ASDM that configuration
synchronization is complete, ASDM will
send the current configuration changes.

Send configuration to the PIX now anyway rather than waiting?"

If I answer Send, I get another dialog which contains "write standby" and
"Config replication in progress... Please try later."

There seems to have been a failover to the secondary unit, and the primary
unit is in a state called "sync config". On the primary, all the interfaces
are down/up and seem to have the same ip addresses as the secondary (which
is now the active unit). Is this normal for the state it's in, or are the
interfaces down because of ip address conflicts?

How can I best get the standby pix back in sync with the active one?

Thanks!
--Steve

Steve Pfister
Technical Coordinator,
The Office of Information Technology
Dayton Public Schools
115 S. Ludlow St.
Dayton, OH 45402

Office (937) 542-3149
Cell (937) 673-6779
Direct Connect: 137*131747*8
Email spfister@xxxxxxxxxxxxx

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

References:
- [fw-wiz] Question on PIX replication
  - From: Steven Pfister

Prev by Date: Re: [fw-wiz] Question on PIX replication
Next by Date: Re: [fw-wiz] VPN/DMZ problem
Previous by thread: Re: [fw-wiz] Question on PIX replication
Index(es):
- Date
- Thread

Relevant Pages

Re: restore factory defaults
... To reset the PIX Firewall to factory default, log into the PIX, erase ... Password Recovery and AAA Configuration Recovery Procedure for the PIX ... fixup protocol http 80 ...
(comp.dcom.sys.cisco)
Re: Problems configuring my PIX525
... Your pix configuration seems fine to me. ... You wrote that you have hooked a client directly to the pix interface, ... > no snmp-server location ...
(comp.security.firewalls)
Re: PIX FireWall and SBS
... >> PIX. ... >> in controlling access to the internet. ... >> To configure your PIX for use with a DSL PPoE DHCP connection use the ... >> If Earthlink do not use PPoE the configuration above won't be usable. ...
(microsoft.public.windows.server.sbs)
Re: PIX FireWall and SBS
... >> PIX. ... >> in controlling access to the internet. ... >> To configure your PIX for use with a DSL PPoE DHCP connection use the ... >> If Earthlink do not use PPoE the configuration above won't be usable. ...
(microsoft.public.windows.server.sbs)
[fw-wiz] The answer to the PIX encryption issue
... attack much harder up to the point when they become computational ... In order to prevent interception of the configuration files for the ... PIX particularly during transfer between devices, ... the same configuration file among multiple PIXes should be ...
(Firewall-Wizards)