Failover problem with PIX 515

From: Stefan Gasteiger (stefan@gasteiger.de)
Date: 01/09/03 

From: Stefan Gasteiger <stefan@gasteiger.de>
Date: Thu, 09 Jan 2003 18:43:03 +0100

Hi!
 
Setup
-----
2 x PIX 515E with one inner and one outer ethernet interface, connected
with failover cable
 
Setup on Primary
----------------
ip address outside 192.168.101.67 255.255.255.0
ip address inside 172.30.200.253 255.255.255.0
failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 192.168.101.68
failover ip address inside 172.30.200.254
 
Firmware on both machines
-------------------------
fw# sh ver
 
Cisco PIX Firewall Version 6.2(2)
Cisco PIX Device Manager Version 2.1(1)
 
Compiled on Fri 07-Jun-02 17:49 by morlee
 
fw up 20 hours 21 mins
 
Hardware: PIX-525, 256 MB RAM, CPU Pentium III 600 MHz
 
Problem
-------
Let's assume the seconday is active. I do a permanent ping from an inside
machine to an outside machine.
Now I switch off the primary (standby). No problem so far.
I switch on the primary again and the ping stops to work,
although still the secodary is active.
 
I found that somehow there's a problem with addresses:
 
On the primary (standby):
 
fw# sh fail
Failover On
Cable status: Normal
Reconnect timeout 0:00:00
Poll frequency 15 seconds
        This host: Primary - Standby Interface outside (192.168.101.68):
Normal Interface inside (172.30.200.254): Normal Other host: Secondary -
Active Interface outside (192.168.101.67): Normal Interface inside
(172.30.200.253): Normal
 
Stateful Failover Logical Update Statistics
        Link : Unconfigured.
 
fw# sh int
interface ethernet0 "outside" is up, line protocol is up
  Hardware is i82559 ethernet, address is 000b.46aa.a620
  IP address 192.168.101.67, subnet mask 255.255.255.0
interface ethernet1 "inside" is up, line protocol is up
  Hardware is i82559 ethernet, address is 000b.46aa.a621
  IP address 172.30.200.253, subnet mask 255.255.255.0
fw# sh arp outside 192.168.101.67 0009.b789.9028 outside 192.168.101.227
0000.5e00.0102 inside 172.30.200.253 0009.b789.9029
 
As you can see, the Primary uses 192.168.101.67 as external
ip address (sh int), although it should use 192.168.101.68!
 
When I do some sniffing, I see that the echo-reply goes to
 
when working: 0009.b789.9028 (virtual mac address)
when not working: 000b.46aa.a620 (burned in address of primary)
 
So it seems to me, that the Primary is answering an arp
request with his burned in mac address, although he should
not answer at all, when in standby mode, or at least with
the virtual mac address when in active mode.
 
 
Any hints are appreciated - thanks in advance! 

-- 
Stefan

Relevant Pages

  • Re: Which cable for ASA failover?
    ... Can you post your failover config of both unit. ... interface Ethernet0/0 ... mtu management 1500 ... timeout xlate 3:00:00 ...
    (comp.dcom.sys.cisco)
  • Re: Which cable for ASA failover?
    ... Can you post your failover config of both unit. ... interface Ethernet0/0 ... mtu management 1500 ... timeout xlate 3:00:00 ...
    (comp.dcom.sys.cisco)
  • Re: IP Failover: strange behaviour
    ... As long as both machines are up and running, IP failover ... network interface, and enters the status described in 1). ... IPPSA2> tcpip ifconfig -a ... IE2 are not participating in a ip failover. ...
    (comp.os.vms)
  • [fw-wiz] RE: PIX FW Failover & Hello Packet
    ... I have 2 PIX 515 fws and setup both of them to run as failover, ... have put the ACL on each interface except "Failover" interface. ... Is it possible the ACL blocks the communication when PIX tries to send the ...
    (Firewall-Wizards)
  • [fw-wiz] PIX failover disable help
    ... I have a pix stateful failoverset up in active/standby mode. ... Now i'm worried if by giving a shut on the interface on the ... As per the document i'm thinking of to disable the failover first and shut ...
    (Firewall-Wizards)