免费注册 查看新帖 |

Chinaunix

  平台 论坛 博客 文库
论坛 IT运维 网络技术 PIX 525 做Failover 备用的防火墙定时重启
123下一页
最近访问板块 发新帖
查看: 10667 | 回复: 29
打印 上一主题 下一主题

PIX 525 做Failover 备用的防火墙定时重启 [复制链接]

foolishfox

论坛徽章:
0
跳转到指定楼层
1 [收藏(0)] [报告]
发表于 2009-11-28 17:26 |只看该作者 |倒序浏览
10可用积分
现象:使用两台PIX 525做Failover,版本为7.2,其中做为备机的防火墙每隔1个半小时就自动重启一次,找其他防火墙做测试,试验发现,无论哪一台防火墙做备机,每隔1个半小时都会重启一次,主用的防火墙则没问题。

现在手里没有配置,但是根据我同事描述,和其他正常的防火墙配置做过核对,配置是一样的
有没有遇到过类似问题的朋友,请来帮忙,多谢!

最佳答案

ssffzz1

查看完整内容

LZ你这样操作吧。现在没有明显的头绪和思路。1、做一个Syslog服务器,把主墙和被墙的日志倒过去。2、定时(10分钟)监测2墙的CPU和MEMORY,以及主被状态。接口流量。3、备墙同步过主墙配置后,断开和网络的连接,试试是否重启。4、换掉主墙试试。
ssffzz1

论坛徽章:
5
IT运维版块每日发帖之星 日期:2015-08-06 06:20:00IT运维版块每日发帖之星 日期:2015-08-10 06:20:00IT运维版块每日发帖之星 日期:2015-08-23 06:20:00IT运维版块每日发帖之星 日期:2015-08-24 06:20:00IT运维版块每日发帖之星 日期:2015-11-12 06:20:00
2 [报告]
发表于 2009-11-28 17:26 |只看该作者
LZ你这样操作吧。
现在没有明显的头绪和思路。


1、做一个Syslog服务器,把主墙和被墙的日志倒过去。
2、定时(10分钟)监测2墙的CPU和MEMORY,以及主被状态。接口流量。
3、备墙同步过主墙配置后,断开和网络的连接,试试是否重启。
4、换掉主墙试试。
实战分享:从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线! | 新一代分布式关系型数据库RadonDB知多少?
marsteel

论坛徽章:
0
3 [报告]
发表于 2009-11-28 19:15 |只看该作者
升级到8.04再说吧
实战分享:从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线! | 新一代分布式关系型数据库RadonDB知多少?
foolishfox

论坛徽章:
0
4 [报告]
发表于 2009-11-28 19:19 |只看该作者
现在的这个版本有问题吗?
实战分享:从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线! | 新一代分布式关系型数据库RadonDB知多少?
ssffzz1

论坛徽章:
5
IT运维版块每日发帖之星 日期:2015-08-06 06:20:00IT运维版块每日发帖之星 日期:2015-08-10 06:20:00IT运维版块每日发帖之星 日期:2015-08-23 06:20:00IT运维版块每日发帖之星 日期:2015-08-24 06:20:00IT运维版块每日发帖之星 日期:2015-11-12 06:20:00
5 [报告]
发表于 2009-11-28 20:02 |只看该作者
备机的防火墙每隔1个半小时就自动重启一次

你是说不只是用这台墙。用别的机器来替换掉这个防火墙也重启吗?
实战分享:从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线! | 新一代分布式关系型数据库RadonDB知多少?
foolishfox

论坛徽章:
0
6 [报告]
发表于 2009-11-28 20:24 |只看该作者
对,用第三台替换备用防火墙,也同样的情况,主备互相换一下,也是备用的每隔一个半小时就自动重启一次
实战分享:从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线! | 新一代分布式关系型数据库RadonDB知多少?
ssffzz1

论坛徽章:
5
IT运维版块每日发帖之星 日期:2015-08-06 06:20:00IT运维版块每日发帖之星 日期:2015-08-10 06:20:00IT运维版块每日发帖之星 日期:2015-08-23 06:20:00IT运维版块每日发帖之星 日期:2015-08-24 06:20:00IT运维版块每日发帖之星 日期:2015-11-12 06:20:00
7 [报告]
发表于 2009-11-28 20:30 |只看该作者
配置和主备的日志都帖一下看看。敏感信息XX代替。
实战分享:从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线! | 新一代分布式关系型数据库RadonDB知多少?
ssffzz1

论坛徽章:
5
IT运维版块每日发帖之星 日期:2015-08-06 06:20:00IT运维版块每日发帖之星 日期:2015-08-10 06:20:00IT运维版块每日发帖之星 日期:2015-08-23 06:20:00IT运维版块每日发帖之星 日期:2015-08-24 06:20:00IT运维版块每日发帖之星 日期:2015-11-12 06:20:00
8 [报告]
发表于 2009-11-28 20:51 |只看该作者
另外查看LICENSE是否正确。
实战分享:从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线! | 新一代分布式关系型数据库RadonDB知多少?
foolishfox

论坛徽章:
0
9 [报告]
发表于 2009-11-28 21:36 |只看该作者
配置如下:
: Saved
:
PIX Version 7.2(1)
!
hostname xxx-xx-xxxx
domain-name xx.xx.xxx
enable password 4wn2dZyP8WeN1Jx/ level 2 encrypted
enable password 2KFdnbPIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0
description TO-I3-6506R-1
speed 100
duplex full
nameif outside
security-level 0
ip address xx.xxx.XX.13 255.255.255.248 standby xx.xxx.xx.13
!
interface Ethernet1
description TO-F5-3560-1
speed 100
duplex full
nameif inside
security-level 100
ip address xx.xxx.xxx.1 255.255.255.0 standby xx.xxx.xxx.31
!
interface Ethernet2
description TO-I3-6506-1
speed 100
duplex full
nameif DDSO
security-level 50
ip address xx.xxx.191.20 255.255.255.248 standby xx.xxx.11.21
!
interface Ethernet3
description TO-E15-6509-1
speed 100
duplex full
nameif dx
security-level 15
ip address xx.xxx.4.14 255.255.255.248 standby xx.xxx.4.12
!
interface Ethernet4
speed 100
duplex full
shutdown
no nameif
security-level 15
no ip address
!
interface Ethernet5
description STATE Failover Interface
!
passwd 2KDQnbNIdI.2KKOU encrypted
boot system flash:/pix721.bin
ftp mode passive
clock timezone BeiJing 8
dns server-group DefaultDNS
domain-name abc.def
object-group network PING
network-object host xx.xxx.xx.x
network-object host xx.xxx.xx.x
object-group network 30DDS
network-object host xx.xx.xx.x
network-object host xx.xx.xxx.x
object-group network 20DDS
network-object host xx.xxx.xxx.9
object-group network wh
network-object host xx.xxx.xx.xx
object-group network KDS
network-object host xx.xxx.xx.xx
network-object host xx.xxx.xx.xx
object-group network ntp
network-object host xx.xxx.xx.xxx
object-group network LSOD
network-object host xx.xxx.xx.xx
object-group network LDOW
network-object host xx.xxx.xx.xx
network-object host xx.xxx.xx.xx
object-group network DP-LDOW
network-object host xx.xxx.XXX.XX
object-group network DP-DDS
network-object host xx.xx.xx.xx
object-group network DDSO
network-object host 10.65.6.22
access-list 101 extended permit tcp object-group 30DDS host xx.xxx.xxx.2 eq 7777
access-list 101 extended permit tcp object-group 30DDS host xx.xxx.xxx.2 eq 7777
access-list 101 extended permit tcp object-group 20DDS host xx.xxx.xxx.2 eq 7777
access-list 101 extended permit tcp object-group 20DDS host xx.xxx.xxx.2 eq 7777
access-list 101 extended permit tcp host 211.137.32.229 host xx.xxx.xxx.6 eq 7777
access-list 102 extended permit tcp object-group wh host xx.xxx.xxx.30 eq 7777
access-list 103 extended permit icmp object-group PING host xx.xxx.xxx.4
access-list 103 extended permit tcp object-group DP-DDS host xx.xxx.xxx.4 eq 7777
access-list 103 extended permit tcp object-group DP-DDS host xx.xxx.xxx.4 eq 7777
access-list 103 extended permit tcp object-group DDSO host xx.xxx.xxx.4 eq 7777
access-list 103 extended permit tcp object-group DDSO host xx.xxx.xxx.4 eq 7777
pager lines 24
logging enable
logging timestamp
logging standby
logging console warnings
logging monitor warnings
logging buffered errors
logging history errors
mtu outside 1500
mtu inside 1500
mtu DDSO 1500
mtu dx 1500
failover
failover link Stateful Ethernet5
failover interface ip Stateful 1.1.1.1 255.255.255.0 standby 1.1.1.2
no asdm history enable
arp timeout 300
nat-control
global (outside) 1 xx.xxx.xxx.0
nat (inside) 1 10.0.0.0 255.0.0.0
static (inside,outside) xx.xxx.xxx.2 xx.xxx.xxx.4 netmask 255.255.255.255
static (inside,outside) xx.xxx.xxx.7 xx.xxx.xxx.8 netmask 255.255.255.255
static (inside,outside) xx.xxx.xxx.6 xx.xxx.xxx.9 netmask 255.255.255.255
static (inside,dx) xx.xxx.xxx.4 xx.xxx.xxx.4 netmask 255.255.255.255
static (inside,DDSO) xx.xxx.xxx.4 xx.xxx.xxx.4 netmask 255.255.255.255
static (inside,dx) xx.xxx.xxx.9 xx.xxx.xxx.9 netmask 255.255.255.255
static (inside,dx) xx.xxx.xxx.3 xx.xxx.xxx.3 netmask 255.255.255.255
static (inside,dx) xx.xxx.xxx.30 xx.xxx.xxx.30 netmask 255.255.255.255
static (inside,dx) xx.xxx.xxx.11 xx.xxx.xxx.11 netmask 255.255.255.255
static (inside,dx) xx.xxx.xxx.10 xx.xxx.xxx.10 netmask 255.255.255.255
static (inside,dx) xx.xxx.xxx.8 xx.xxx.xxx.8 netmask 255.255.255.255
static (inside,outside) xx.xxx.xxx.1 xx.xxx.xxx.7 netmask 255.255.255.255
static (inside,dx) xx.xxx.xxx.7 xx.xxx.xxx.7 netmask 255.255.255.255
access-group 101 in interface outside
access-group 103 in interface DDSO
access-group 102 in interface dx
route outside 0.0.0.0 0.0.0.0 xx.xxx.72.129 1
route DDSO 10.65.9.11 255.255.255.255 xx.xxx.191.17 1
route DDSO 10.65.6.22 255.255.255.255 xx.xxx.191.17 1
route dx xx.xxx.20.0 255.255.255.0 xx.xxx.43.123 1
route dx xx.xxx.18.0 255.255.255.0 xx.xxx.43.123 1
route dx xx.xxx.8.45 255.255.255.255 xx.xxx.43.123 1
route dx xx.xxx.8.33 255.255.255.255 xx.xxx.43.123 1
route dx xx.xxx.254.0 255.255.255.0 xx.xxx.43.123 1
route dx xx.xxx.251.0 255.255.255.0 xx.xxx.43.123 1
route dx xx.xxx.225.0 255.255.255.0 xx.xxx.43.123 1
实战分享:从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线! | 新一代分布式关系型数据库RadonDB知多少?
foolishfox

论坛徽章:
0
10 [报告]
发表于 2009-11-28 21:44 |只看该作者
主用的防火墙日志,另外楼上的女儿真可爱

Nov 27 2009 12:53:58: %PIX-1-102001: (Primary) Power failure/System reload other side.
Nov 27 2009 12:54:01: %PIX-1-101001: (Primary) Failover cable OK.
Nov 27 2009 12:54:05: %PIX-1-102001: (Primary) Power failure/System reload other side.
Nov 27 2009 12:54:37: %PIX-3-305005: No translation group found for udp src dxxx.xxx.xx.x/123 dst insidexx.xxx.xx.x/123
Nov 27 2009 12:54:42: %PIX-3-305005: No translation group found for udp src dxxx.xxx.xx.x/123 dst insidexx.xxx.xx.x/123
Nov 27 2009 12:54:43: %PIX-1-101001: (Primary) Failover cable OK.
Nov 27 2009 12:55:29: %PIX-1-709003: (Primary) Beginning configuration replication: Send to mate.
Nov 27 2009 12:55:41: %PIX-1-709004: (Primary) End Configuration Replication (ACT)
Nov 27 2009 12:55:41: %PIX-3-305005: No translation group found for udp src dxxx.xxx.xx.x/123 dst insidexx.xxx.xx.x/123
Nov 27 2009 12:55:46: %PIX-3-305005: No translation group found for udp src dxxx.xxx.xx.x/123 dst insidexx.xxx.xx.x/123
Nov 27 2009 12:55:51: %PIX-1-105003: (Primary) Monitoring on interface outside waiting
Nov 27 2009 12:55:51: %PIX-1-105003: (Primary) Monitoring on interface inside waiting
Nov 27 2009 12:55:51: %PIX-1-105003: (Primary) Monitoring on interface kkkk waiting
Nov 27 2009 12:55:51: %PIX-1-105003: (Primary) Monitoring on interface dx waiting
Nov 27 2009 12:56:06: %PIX-1-105004: (Primary) Monitoring on interface outside normal
Nov 27 2009 12:56:06: %PIX-1-105004: (Primary) Monitoring on interface inside normal
Nov 27 2009 12:56:06: %PIX-1-105004: (Primary) Monitoring on interface kkkk normal
Nov 27 2009 12:56:06: %PIX-1-105004: (Primary) Monitoring on interface dx normal
Nov 27 2009 12:56:45: %PIX-3-305005: No translation group found for udp src dxxx.xxx.xx.x/123 dst insidexx.xxx.xx.x/123
Nov 27 2009 12:56:50: %PIX-3-305005: No translation group found for udp src dx:xxx.xxx.xx.x/123 dst inside:xxx.xxx.xx.x/123
实战分享:从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线! | 新一代分布式关系型数据库RadonDB知多少?
123下一页
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 注册

本版积分规则 发表回复

  

北京盛拓优讯信息技术有限公司. 版权所有 京ICP备16024965号-6 北京市公安局海淀分局网监中心备案编号:11010802020122 niuxiaotong@pcpop.com 17352615567
未成年举报专区
中国互联网协会会员  联系我们:huangweiwei@itpub.net
感谢所有关心和支持过ChinaUnix的朋友们 转载本站内容请注明原作者名及出处

清除 Cookies - ChinaUnix - Archiver - WAP - TOP