Pix Failover issue - No Active

Unanswered Question
Apr 29th, 2010
User Badges:

Hi,


I'm hoping this will be a quick and easy answer.


If i have a Pix FW setup as secondary but running as active due to issue with Primary.


Primary has been disconnected from the network and the Secondary, so the secondary is active but not connected to the Primary in anyway.


If the secondary and active Pix is rebooted, what state should it be in when it comes back online ?


This happened to a customer last night and it came back as standby and so all traffic was black holed, and neither Pix was online or at least active


Thanks

Stu

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Fri, 04/30/2010 - 07:13
User Badges:
  • Cisco Employee,

I understand that secondary was the active firewall, and primary was taken out of the failover cluster.


Then the secondary which was the active firewall was reloaded. At this point, is the primary firewall connected to the network? If it is, and they are not in cluster, both firewall will become active, and hence it explains why traffic went to black hole as both firewalls are active.

stuart.jones Sun, 05/02/2010 - 02:40
User Badges:

Hi,


The Primary Pix is not connected in anyway including the failover cable to the Secondary and active Pix.


So when the Secondary and active Pix (with failover only lic) reboots when it comes back online it cannot see the Primary Pix in anyway, not even via the failover cable. Should it become active or standby ?


In my case it came back as standby, and believ this is because it couldnt see the Primary Pix via the failover cable (even though it wasnt powered on), when it reboots and the failover cable is connected to the Primary and offline Pix is reboots as active, without the cable attached to the Primary and offlibe Pix is comes back as standby, but is this normal ?


Also as this seems to be rebooting every 24 hours csan this be prevented wihout bringing the Primary Pix back online ?


Thanks

Stu

Jennifer Halim Sun, 05/02/2010 - 03:33
User Badges:
  • Cisco Employee,

When you reloaded the secondary active firewall, it should come back online as the active firewall if failover is turned on and if there is no cable connected to the primary firewall, the secondary will assume the active role because it assumes the peer is down.


With the serial cable failover, you would need  to check if the correct end of cable is connected to the correct PIX firewall. One end of the failover cable will be marked as primary end, and the other end of the cable will be marked as secondary as follows:

http://www.cisco.com/en/US/docs/security/pix/pix63/hw/installation/guide/515.html#wp1048874


With regards to the firewall reloading every 24 hours, you would need to get TAC to investigate the issue. Most likely the PIX firewall is hitting a bug that causes it to reload every 24 hours.

ankurs2008 Sun, 05/02/2010 - 12:06
User Badges:

Stuart


I believe you are having PIX Firewall with one device UR License and another FO License . If this is the case and your previously Active Firewall is switched off currently , then the now Active Firewall (Secondary) having FO License will get rebooted every 24 Hrs if you are trying to pass all the traffic through it . If no Primary is connected to Secondary and Secondary [now Active] is reloaded ,  then Secondary will remain as Standby unit however will keep the traffic continue passing through . Please read the below link


http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1124508


If your Firewall would have been ASA Firewall [or PIX with both device having UR Licenses] and if you would have encountered the same issue , then with Secondary being reloaded it would have come up as an Active device [with no rebooting every 24 hrs] on detecting that its peer unit is not there. Here one thing you have to keep in mind is that now in this situation if Primary is bought again into the production , then the traffic will get hampered .The reason being that as soon as Primary [Previously Active Unit] will come up , it will detect that already Secondary [Current Active] is acting as Active peer and will try to give its MAC Address to Secondary .However , at this time Secondary [Current Active] is using its burnt-in MAC Address [remember when Secondary was reloaded , Primary was switched off !!! ] rather than the MAC Address of Primary Firewall [as you know in Failover that Primary will gives its MAC to Secondary during failover]. So when Primary will try to give its MAC to Secondary it will accept and due to this network traffic will hamper as the downstream Switch will not be able to find the entry in its CAM Table for the new MAC . In order to resolve this we have to use Virtual MAC Address .In this case if Secondary boots up first , followed by Primary , then there will no network disruption .


Note : Virtual MAC should not be assigned during traffic passing through (i.e when devices in production) , it should be applied beforehand .

Actions

This Discussion