I would replace the crossover cable first.
Having PIX send syslog messages to a syslog server takes a bit of
configuring. Please refer to
http://www.cisco.com/warp/public/110/pixsyslog.html.
If your PIX is configured to send syslog messages to a node but either
the node does not exist or is not properly configured, the messages just
get dropped.
Anchi
-----Original Message-----
From: Roberto Paoletti [mailto:roberto.paoletti@mail.wind.it]
Sent: Tuesday, March 26, 2002 2:40 AM
To: Zhang, Anchi; cisco-nsp@puck.nether.net
Subject: R: PIX Firewall serie 535
How you can see from syslog messages :
Mar 25 11:13:50 [pix] %PIX-4-106023: Deny udp src outside:A.B.C.D/52648
dst inside:A.B.C.D/514 by access
-group "CSM-acl-outside"
Mar 25 11:17:32 [pix] %PIX-1-105005: (Secondary) Lost Failover
communications with mate on interface 7
Mar 25 11:17:32 [pix] %PIX-1-105008: (Secondary) Testing Interface 7
Mar 25 11:18:13 [pix] %PIX-1-104004: (Secondary) Switching to OK.
Mar 25 11:18:13 [pix] %PIX-1-105003: (Secondary) Monitoring on interface
7 waiting
Mar 25 11:18:13 [pix] %PIX-1-105003: (Secondary) Monitoring on interface
6 waiting
Mar 25 11:18:13 [pix] %PIX-1-105003: (Secondary) Monitoring on interface
5 waiting
Mar 25 11:18:13 [pix] %PIX-1-105003: (Secondary) Monitoring on interface
4 waiting
Mar 25 11:18:13 [pix] %PIX-1-105003: (Secondary) Monitoring on interface
3 waiting
Mar 25 11:18:13 [pix] %PIX-1-105003: (Secondary) Monitoring on interface
2 waiting
Mar 25 11:18:13 [pix] %PIX-1-105003: (Secondary) Monitoring on interface
0 waiting
Mar 25 11:18:13 [pix] %PIX-1-105003: (Secondary) Monitoring on interface
1 waiting
Mar 25 11:19:43 [pix] %PIX-1-105004: (Secondary) Monitoring on interface
7 normal
Mar 25 11:19:43 [pix] %PIX-1-105004: (Secondary) Monitoring on interface
4 normal
Mar 25 11:19:43 [pix] %PIX-1-105004: (Secondary) Monitoring on interface
3 normal
Mar 25 11:19:43 [pix] %PIX-1-105004: (Secondary) Monitoring on interface
6 normal
Mar 25 11:19:43 [pix] %PIX-1-105004: (Secondary) Monitoring on interface
2 normal
Mar 25 11:19:43 [pix] %PIX-1-105004: (Secondary) Monitoring on interface
5 normal
Mar 25 11:19:43 [pix] %PIX-1-105004: (Secondary) Monitoring on interface
0 normal
Mar 25 11:19:43 [pix] %PIX-1-105004: (Secondary) Monitoring on interface
1 normal
from 11:13:50 until 11:17:32 i've not the syslog messages , and after i
find this error msg "lost failover communications...."
What do you think?
Why the pix didn't write on the syslog?
Problem of connectivity network?
I ask me : when the pix can't write syslog msg on the syslog server ,
What does it happen?
Thanks for your collaboration.
Roberto P.
-----Messaggio originale-----
Da: Zhang, Anchi [mailto:AZhang@reliant.com]
Inviato: luned́ 25 marzo 2002 20.30
A: Roberto Paoletti; cisco-nsp@puck.nether.net
Oggetto: RE: PIX Firewall serie 535
Are you saying that those syslog messages showed up only right after you
connected interface 7?
Would you have all the syslog messages from the secondary during that
time?
Anchi
-----Original Message-----
From: Roberto Paoletti [mailto:roberto.paoletti@mail.wind.it]
Sent: Monday, March 25, 2002 11:34 AM
To: Zhang, Anchi; cisco-nsp@puck.nether.net
Subject: R: PIX Firewall serie 535
Hi , yes the interface 7 is connected to the primary pix by crossover
cable.
This interface is connected only back-to-back without traffic internet.
No, i didn't reboot the primary, but this morning i riceived the alert
messages for " Lost Failover communications with mate on interface 7"
and after i connetced on the pix and i 've seen this mistake.
I attached the show failover and show interface :
-------------------------SHOW
FAILOVER----------------------------------------
Failover On
Cable status: Normal
Reconnect timeout 0:00:00
Poll frequency 15 seconds
This host: Primary - Active
Active time: 23160 (sec)
Interface DMZ-slot:7 (192.168.10.9): Normal
Interface DMZ-slot:6 (192.168.10.13): Normal
Interface DMZ-slot:5 (192.168.10.17): Normal
Interface DMZ-slot:4 (192.168.10.1): Normal
Interface DMZ-slot:3 (192.168.10.5): Normal
Interface inside (X.X.X.X): Normal
Interface outside (X.X.X.X): Normal
Interface DMZ-Slot:2 (X.X.X.X): Normal
Other host: Secondary - Standby
Active time: 0 (sec)
Interface DMZ-slot:7 (192.168.10.10): Normal
Interface DMZ-slot:6 (192.168.10.14): Normal
Interface DMZ-slot:5 (192.168.10.18): Normal
Interface DMZ-slot:4 (192.168.10.2): Normal
Interface DMZ-slot:3 (192.168.10.6): Normal
Interface inside (X.X.X.X): Normal
Interface outside (X.X.X.X): Normal
Interface DMZ-Slot:2 (X.X.X.X): Normal
Stateful Failover Logical Update Statistics
Link : DMZ-slot:4
Stateful Obj xmit xerr rcv rerr
General 4728402 8463 36978 0
sys cmd 3119 0 3114 0
up time 2 0 2 0
xlate 1045 0 351 0
tcp conn 4724236 0 33511 71
udp conn 0 0 0 0
ARP tbl 0 0 0 0
RIP Tbl 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 128 36978
Xmit Q: 0 419 4738791
-----------------------------SHOW
INTERFACE-------------------------------
interface ethernet5 "DMZ-slot:7" is up, line protocol is up
Hardware is i82558 ethernet, address is 00e0.b604.4866
IP address 192.168.10.9, subnet mask 255.255.255.252
MTU 1500 bytes, BW 100000 Kbit full duplex
1498 packets input, 92852 bytes, 0 no buffer
Received 2 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
1538 packets output, 105116 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/2)
output queue (curr/max blocks): hardware (0/10) software (0/9)
------------------------------------------------------------------------
--------------------------------
Is it possible an attack ?
THANKS FOR YOUR COLLABORATION.
CIAO
Roberto P.
-----Messaggio originale-----
Da: Zhang, Anchi [mailto:AZhang@reliant.com]
Inviato: luned́ 25 marzo 2002 16.47
A: Roberto Paoletti; cisco-nsp@puck.nether.net
Oggetto: RE: PIX Firewall serie 535
How is the interface 7 on your secondary connected to that of your
primary? Via a crossover cable, a switch, or a hub?
What is interface 7 for? Your outside interface?
Did the primary reboot?
"show failover" and "show interface" output would be helpful.
Anchi
-----Original Message-----
From: Roberto Paoletti [mailto:roberto.paoletti@mail.wind.it]
Sent: Monday, March 25, 2002 9:21 AM
To: cisco-nsp@puck.nether.net
Subject: PIX Firewall serie 535
Hi ,
i' ve a problem with the pix 535.
Sometimes (2 times) the secondary pix (license failover) with status
Standby , losts comunication on interface X and goes in Testing.
The interface X is back -to-back with the primary pix with status Active
:
%PIX-1-105005: (Secondary) Lost Failover communications with mate on
interface 7
After the secondary monitoring the others interfaces :
%PIX-1-105003: (Secondary) Monitoring on interface 3 waiting
%PIX-1-105003: (Secondary) Monitoring on interface 6 waiting
%PIX-1-105003: (Secondary) Monitoring on interface 2 waiting
%PIX-1-105003: (Secondary) Monitoring on interface 5 waiting
%PIX-1-105003: (Secondary) Monitoring on interface 0 waiting
%PIX-1-105003: (Secondary) Monitoring on interface 4 waiting
%PIX-1-105003: (Secondary) Monitoring on interface 1 waiting
Why does the pix work so ?
Which is or are problem/s ?
I thought the connectivity (network), but the interface is back-to-back.
I thought the cable, it doesn't work.....but i change the cable.....
I've seen the logs and i didn't find nothing interesting .
Can anyone help me ?
Thanks in advance,
Roberto Paoletti
Operations Server Farm & Networking
Network Security & AAA
------------------------------------------------------------------
Wind Telecomunicazioni S.p.A. -
<file:///D:/Documents%20and%20Settings/Administrator.RPAOLETTI-NT/Dati%2
0applicazioni/Microsoft/Signatures/www.wind.it> www.wind.it
Internet & Multimedia - Fixed Portal
via Lorenteggio, 257
20152 Milano
Tel: +39-02-3011 4166
Cell:+39-3294206077
E-mail:roberto.paoletti@mail.wind.it
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:38 EDT