免费注册 查看新帖 |

Chinaunix

  平台 论坛 博客 文库
论坛 IT运维 网络技术 PIX 525 做Failover 备用的防火墙定时重启
最近访问板块 发新帖
查看: 10674 | 回复: 9
打印 上一主题 下一主题

PIX 525 做Failover 备用的防火墙定时重启 [复制链接]

foolishfox

论坛徽章:
0
跳转到指定楼层
1 [收藏(0)] [报告]
发表于 2009-11-28 17:26 |显示全部楼层 |倒序浏览
10可用积分
现象:使用两台PIX 525做Failover,版本为7.2,其中做为备机的防火墙每隔1个半小时就自动重启一次,找其他防火墙做测试,试验发现,无论哪一台防火墙做备机,每隔1个半小时都会重启一次,主用的防火墙则没问题。

现在手里没有配置,但是根据我同事描述,和其他正常的防火墙配置做过核对,配置是一样的
有没有遇到过类似问题的朋友,请来帮忙,多谢!
foolishfox

论坛徽章:
0
2 [报告]
发表于 2009-11-28 19:19 |显示全部楼层
现在的这个版本有问题吗?
实战分享:从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线! | 新一代分布式关系型数据库RadonDB知多少?
foolishfox

论坛徽章:
0
3 [报告]
发表于 2009-11-28 20:24 |显示全部楼层
对,用第三台替换备用防火墙,也同样的情况,主备互相换一下,也是备用的每隔一个半小时就自动重启一次
实战分享:从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线! | 新一代分布式关系型数据库RadonDB知多少?
foolishfox

论坛徽章:
0
4 [报告]
发表于 2009-11-28 21:36 |显示全部楼层
配置如下:
: Saved
:
PIX Version 7.2(1)
!
hostname xxx-xx-xxxx
domain-name xx.xx.xxx
enable password 4wn2dZyP8WeN1Jx/ level 2 encrypted
enable password 2KFdnbPIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0
description TO-I3-6506R-1
speed 100
duplex full
nameif outside
security-level 0
ip address xx.xxx.XX.13 255.255.255.248 standby xx.xxx.xx.13
!
interface Ethernet1
description TO-F5-3560-1
speed 100
duplex full
nameif inside
security-level 100
ip address xx.xxx.xxx.1 255.255.255.0 standby xx.xxx.xxx.31
!
interface Ethernet2
description TO-I3-6506-1
speed 100
duplex full
nameif DDSO
security-level 50
ip address xx.xxx.191.20 255.255.255.248 standby xx.xxx.11.21
!
interface Ethernet3
description TO-E15-6509-1
speed 100
duplex full
nameif dx
security-level 15
ip address xx.xxx.4.14 255.255.255.248 standby xx.xxx.4.12
!
interface Ethernet4
speed 100
duplex full
shutdown
no nameif
security-level 15
no ip address
!
interface Ethernet5
description STATE Failover Interface
!
passwd 2KDQnbNIdI.2KKOU encrypted
boot system flash:/pix721.bin
ftp mode passive
clock timezone BeiJing 8
dns server-group DefaultDNS
domain-name abc.def
object-group network PING
network-object host xx.xxx.xx.x
network-object host xx.xxx.xx.x
object-group network 30DDS
network-object host xx.xx.xx.x
network-object host xx.xx.xxx.x
object-group network 20DDS
network-object host xx.xxx.xxx.9
object-group network wh
network-object host xx.xxx.xx.xx
object-group network KDS
network-object host xx.xxx.xx.xx
network-object host xx.xxx.xx.xx
object-group network ntp
network-object host xx.xxx.xx.xxx
object-group network LSOD
network-object host xx.xxx.xx.xx
object-group network LDOW
network-object host xx.xxx.xx.xx
network-object host xx.xxx.xx.xx
object-group network DP-LDOW
network-object host xx.xxx.XXX.XX
object-group network DP-DDS
network-object host xx.xx.xx.xx
object-group network DDSO
network-object host 10.65.6.22
access-list 101 extended permit tcp object-group 30DDS host xx.xxx.xxx.2 eq 7777
access-list 101 extended permit tcp object-group 30DDS host xx.xxx.xxx.2 eq 7777
access-list 101 extended permit tcp object-group 20DDS host xx.xxx.xxx.2 eq 7777
access-list 101 extended permit tcp object-group 20DDS host xx.xxx.xxx.2 eq 7777
access-list 101 extended permit tcp host 211.137.32.229 host xx.xxx.xxx.6 eq 7777
access-list 102 extended permit tcp object-group wh host xx.xxx.xxx.30 eq 7777
access-list 103 extended permit icmp object-group PING host xx.xxx.xxx.4
access-list 103 extended permit tcp object-group DP-DDS host xx.xxx.xxx.4 eq 7777
access-list 103 extended permit tcp object-group DP-DDS host xx.xxx.xxx.4 eq 7777
access-list 103 extended permit tcp object-group DDSO host xx.xxx.xxx.4 eq 7777
access-list 103 extended permit tcp object-group DDSO host xx.xxx.xxx.4 eq 7777
pager lines 24
logging enable
logging timestamp
logging standby
logging console warnings
logging monitor warnings
logging buffered errors
logging history errors
mtu outside 1500
mtu inside 1500
mtu DDSO 1500
mtu dx 1500
failover
failover link Stateful Ethernet5
failover interface ip Stateful 1.1.1.1 255.255.255.0 standby 1.1.1.2
no asdm history enable
arp timeout 300
nat-control
global (outside) 1 xx.xxx.xxx.0
nat (inside) 1 10.0.0.0 255.0.0.0
static (inside,outside) xx.xxx.xxx.2 xx.xxx.xxx.4 netmask 255.255.255.255
static (inside,outside) xx.xxx.xxx.7 xx.xxx.xxx.8 netmask 255.255.255.255
static (inside,outside) xx.xxx.xxx.6 xx.xxx.xxx.9 netmask 255.255.255.255
static (inside,dx) xx.xxx.xxx.4 xx.xxx.xxx.4 netmask 255.255.255.255
static (inside,DDSO) xx.xxx.xxx.4 xx.xxx.xxx.4 netmask 255.255.255.255
static (inside,dx) xx.xxx.xxx.9 xx.xxx.xxx.9 netmask 255.255.255.255
static (inside,dx) xx.xxx.xxx.3 xx.xxx.xxx.3 netmask 255.255.255.255
static (inside,dx) xx.xxx.xxx.30 xx.xxx.xxx.30 netmask 255.255.255.255
static (inside,dx) xx.xxx.xxx.11 xx.xxx.xxx.11 netmask 255.255.255.255
static (inside,dx) xx.xxx.xxx.10 xx.xxx.xxx.10 netmask 255.255.255.255
static (inside,dx) xx.xxx.xxx.8 xx.xxx.xxx.8 netmask 255.255.255.255
static (inside,outside) xx.xxx.xxx.1 xx.xxx.xxx.7 netmask 255.255.255.255
static (inside,dx) xx.xxx.xxx.7 xx.xxx.xxx.7 netmask 255.255.255.255
access-group 101 in interface outside
access-group 103 in interface DDSO
access-group 102 in interface dx
route outside 0.0.0.0 0.0.0.0 xx.xxx.72.129 1
route DDSO 10.65.9.11 255.255.255.255 xx.xxx.191.17 1
route DDSO 10.65.6.22 255.255.255.255 xx.xxx.191.17 1
route dx xx.xxx.20.0 255.255.255.0 xx.xxx.43.123 1
route dx xx.xxx.18.0 255.255.255.0 xx.xxx.43.123 1
route dx xx.xxx.8.45 255.255.255.255 xx.xxx.43.123 1
route dx xx.xxx.8.33 255.255.255.255 xx.xxx.43.123 1
route dx xx.xxx.254.0 255.255.255.0 xx.xxx.43.123 1
route dx xx.xxx.251.0 255.255.255.0 xx.xxx.43.123 1
route dx xx.xxx.225.0 255.255.255.0 xx.xxx.43.123 1
实战分享:从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线! | 新一代分布式关系型数据库RadonDB知多少?
foolishfox

论坛徽章:
0
5 [报告]
发表于 2009-11-28 21:44 |显示全部楼层
主用的防火墙日志,另外楼上的女儿真可爱

Nov 27 2009 12:53:58: %PIX-1-102001: (Primary) Power failure/System reload other side.
Nov 27 2009 12:54:01: %PIX-1-101001: (Primary) Failover cable OK.
Nov 27 2009 12:54:05: %PIX-1-102001: (Primary) Power failure/System reload other side.
Nov 27 2009 12:54:37: %PIX-3-305005: No translation group found for udp src dxxx.xxx.xx.x/123 dst insidexx.xxx.xx.x/123
Nov 27 2009 12:54:42: %PIX-3-305005: No translation group found for udp src dxxx.xxx.xx.x/123 dst insidexx.xxx.xx.x/123
Nov 27 2009 12:54:43: %PIX-1-101001: (Primary) Failover cable OK.
Nov 27 2009 12:55:29: %PIX-1-709003: (Primary) Beginning configuration replication: Send to mate.
Nov 27 2009 12:55:41: %PIX-1-709004: (Primary) End Configuration Replication (ACT)
Nov 27 2009 12:55:41: %PIX-3-305005: No translation group found for udp src dxxx.xxx.xx.x/123 dst insidexx.xxx.xx.x/123
Nov 27 2009 12:55:46: %PIX-3-305005: No translation group found for udp src dxxx.xxx.xx.x/123 dst insidexx.xxx.xx.x/123
Nov 27 2009 12:55:51: %PIX-1-105003: (Primary) Monitoring on interface outside waiting
Nov 27 2009 12:55:51: %PIX-1-105003: (Primary) Monitoring on interface inside waiting
Nov 27 2009 12:55:51: %PIX-1-105003: (Primary) Monitoring on interface kkkk waiting
Nov 27 2009 12:55:51: %PIX-1-105003: (Primary) Monitoring on interface dx waiting
Nov 27 2009 12:56:06: %PIX-1-105004: (Primary) Monitoring on interface outside normal
Nov 27 2009 12:56:06: %PIX-1-105004: (Primary) Monitoring on interface inside normal
Nov 27 2009 12:56:06: %PIX-1-105004: (Primary) Monitoring on interface kkkk normal
Nov 27 2009 12:56:06: %PIX-1-105004: (Primary) Monitoring on interface dx normal
Nov 27 2009 12:56:45: %PIX-3-305005: No translation group found for udp src dxxx.xxx.xx.x/123 dst insidexx.xxx.xx.x/123
Nov 27 2009 12:56:50: %PIX-3-305005: No translation group found for udp src dx:xxx.xxx.xx.x/123 dst inside:xxx.xxx.xx.x/123
实战分享:从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线! | 新一代分布式关系型数据库RadonDB知多少?
foolishfox

论坛徽章:
0
6 [报告]
发表于 2009-11-28 23:20 |显示全部楼层
原帖由 ssffzz1 于 2009-11-28 22:07 发表
另外这一个半小时就重启是固定的吗???准时的一个半小时吗???


主用的防火墙日志,另外楼上的女儿真可爱
类似的事情很多。脑子不知道装的啥。



对,固定的,大约87分钟左右

呵呵,是说你女儿很可爱啊,看你签名的blog里面,感觉很乖的样子
实战分享:从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线! | 新一代分布式关系型数据库RadonDB知多少?
foolishfox

论坛徽章:
0
7 [报告]
发表于 2009-11-28 23:20 |显示全部楼层
原帖由 ssffzz1 于 2009-11-28 22:28 发表
备机重启前CONSOLE口有异常信息吗??
日志有吗??


没有,我贴的日志,就是从console口抓的
实战分享:从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线! | 新一代分布式关系型数据库RadonDB知多少?
foolishfox

论坛徽章:
0
8 [报告]
发表于 2009-11-29 13:27 |显示全部楼层
呃。。。。。期待正解
实战分享:从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线! | 新一代分布式关系型数据库RadonDB知多少?
foolishfox

论坛徽章:
0
9 [报告]
发表于 2009-11-29 21:00 |显示全部楼层
原帖由 ssffzz1 于 2009-11-29 17:15 发表
俺也很郁闷。

电源不会有问题吧??????


应该不是电源问题,主备两个换过来,就是原来的主的(A)做备用的,原来备用的(B)做主用,依然是做备用的出问题,就是谁做备用谁出问题,不然就没问题
实战分享:从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线! | 新一代分布式关系型数据库RadonDB知多少?
foolishfox

论坛徽章:
0
10 [报告]
发表于 2009-12-10 15:57 |显示全部楼层
不好意思,这些天没上来

前两天一直在用几个防火墙测试,在有一次测试的过程中,将一台防火墙换上去了,配置还是和原来一样

然后观察,到目前为止,没再出现问题,我们一群人也都很纳闷.....

到现在4天多,仍在观察中
实战分享:从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线! | 新一代分布式关系型数据库RadonDB知多少?
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 注册

本版积分规则 发表回复

  

北京盛拓优讯信息技术有限公司. 版权所有 京ICP备16024965号-6 北京市公安局海淀分局网监中心备案编号:11010802020122 niuxiaotong@pcpop.com 17352615567
未成年举报专区
中国互联网协会会员  联系我们:huangweiwei@itpub.net
感谢所有关心和支持过ChinaUnix的朋友们 转载本站内容请注明原作者名及出处

清除 Cookies - ChinaUnix - Archiver - WAP - TOP