Still trying to understand how PIX replication works - Firewalls

This is a discussion on Still trying to understand how PIX replication works - Firewalls ; I've got a pair of PIX 525s on active/standby. Recently, the primary one failed over to the secondary unit. I'm trying to understand what kind of state they're now in, especially the primary. The secondary unit now has the ip ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: Still trying to understand how PIX replication works

  1. Still trying to understand how PIX replication works

    I've got a pair of PIX 525s on active/standby. Recently, the primary
    one failed over
    to the secondary unit. I'm trying to understand what kind of state
    they're now in,
    especially the primary. The secondary unit now has the ip addresses
    from the primary unit
    and is handling traffic like you would expect. The primary unit seems
    to know what addresses
    it and the secondary are supposed to have now ("show fail"), But, if
    you do 'show
    interface', the interfaces all still show up with the original
    addresses (which are now being
    used by the secondary). I've connect to the console of both and both
    configs seem to be
    the same (all recent changes are on the primary, too). The primary PIX
    isn't reachable
    from the network any longer

    - is this normal behavior for failover?
    - if I try and make the primary active again, will this fix things?

    Thanks!


  2. Re: Still trying to understand how PIX replication works

    Am Fri, 24 Oct 2008 13:01:09 -0700 schrieb pfisterfarm:

    > I've got a pair of PIX 525s on active/standby. Recently, the primary
    > one failed over
    > to the secondary unit. I'm trying to understand what kind of state
    > they're now in,
    > especially the primary. The secondary unit now has the ip addresses
    > from the primary unit
    > and is handling traffic like you would expect. The primary unit seems
    > to know what addresses
    > it and the secondary are supposed to have now ("show fail"), But, if
    > you do 'show
    > interface', the interfaces all still show up with the original
    > addresses (which are now being
    > used by the secondary). I've connect to the console of both and both
    > configs seem to be
    > the same (all recent changes are on the primary, too). The primary PIX
    > isn't reachable
    > from the network any longer
    >
    > - is this normal behavior for failover?
    > - if I try and make the primary active again, will this fix things?
    >
    > Thanks!


    look for pfsync and carp tutorials, it's the same technique

  3. Re: Still trying to understand how PIX replication works

    On Oct 25, 10:29*am, Burkhard Ott wrote:
    > look for pfsync and carp tutorials, it's the same technique


    I've read a few things. Are there any that answer my questions?

    - is what I've described the way things should be after failover, or
    am I having other problems?
    - Should I try and switch back to the primary, or will that not work?

    Thanks!

  4. Re: Still trying to understand how PIX replication works

    Am Mon, 27 Oct 2008 08:35:23 -0700 schrieb pfisterfarm:
    > - is what I've described the way things should be after failover

    yes
    > - Should I try and switch back to the primary, or will that not work

    It would.

    cheers

  5. Re: Still trying to understand how PIX replication works

    pfisterfarm wrote:
    > On Oct 25, 10:29 am, Burkhard Ott wrote:
    >> look for pfsync and carp tutorials, it's the same technique

    >
    > I've read a few things. Are there any that answer my questions?
    >
    > - is what I've described the way things should be after failover, or
    > am I having other problems?
    > - Should I try and switch back to the primary, or will that not work?
    >
    > Thanks!


    Do a "show ver" and check the state. If you have an
    Unrestricted/Failover scenario, the normal active unit will list as
    "This PIX has an Unrestricted (UR) license." or similar. If the failover
    unit is active, it'll display "Failover license only" or similar. You
    can force the active back from failover by issuing a "conf t", then "no
    failover active". To force the failover PIX active, issue "conf t"
    followed by "failover active".

+ Reply to Thread