All Cisco-Network Study Notes: Troubleshooting Steps

Troubleshooting Steps

Before working through some of the common scenarios, it would be helpful for you to examine the syslog messages that are shown on the secondary PIX firewall after you turn on logging on as shown in Example 3-29.

Example 3-29. Syslog on the Secondary PIX

PIX(config)# logging on
PIX(config)# logging monitor 7
PIX(config)# 111008: User 'enable_15' executed the 'logging con 7' command.
       Detected an Active mate.  Switching to Standby
       Switching to Standby.

After the units are synchronized with each other, you can find out the status of a unit on both the primary and secondary with the show failover command. Example 3-30 shows the output of the show failover command on the primary unit.

Example 3-30. Monitoring Failover Status on Primary PIX Firewall

PIX(config)# show failover
Failover On
Cable status: Normal
Reconnect timeout 0:00:00
Poll frequency 5 seconds
Last Failover at: 14:52:29 EST Wed Feb 9 2005
       This host: Primary - Active
               Active time: 14805 (sec)
               Interface outside (192.168.1.1): Normal
               Interface inside (10.1.1.1): Normal
               Interface stateful (1.1.1.1): Normal
       Other host: Secondary - Standby
               Active time: 250 (sec)
               Interface outside (192.168.1.2): Normal
               Interface inside (10.1.1.2): Normal
               Interface stateful (1.1.1.2): Normal

Stateful Failover Logical Update Statistics
       Link : stateful
       Stateful Obj    xmit       xerr       rcv       rerr
       General         34036      0          1054      0
PIX#

Work through the following steps to troubleshoot the failover problem:


Step 1.	Level 1 syslog will give the reasons for a failover. So always check the syslog to determine the root cause. For example, if the switch port failed on the inside interface of Active Firewall, you would see the following message on the Primary (Active) firewall. 411002: Line protocol on Interface inside, changed state to down 105007: (Primary) Link status 'Down' on interface 1 104002: (Primary) Switching to STNDBYinterface check, mate is healthier Syslog from Secondary (Standby) Firewall will report the following message: 104001: (Secondary) Switching to ACTIVEmate want me Active
Step 2.	Execute show interface on both PIX firewalls to make sure they are up.
Step 3.	Test the connectivity by pinging to the Failover interface IP. Be sure to allow the ICMP for the interfaces.
Step 4.	If the primary and secondary are connected in two different switches, be sure that all VLANS are trunked between the switches.
Step 5.	Be sure to turn on dot1Q across the board on the switch