×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Two PIXs in failover mode, Primary PIX has failed!

Unanswered Question
Dec 14th, 2006
User Badges:

okay, heres the situation. I have two PIX-515E's in a failover scenario. Primary PIX has a UR license and the Secondary PIX has a FO license.


The Primary PIX has failed, it decided to hang and when manually rebooted it came up with the no config, just the default factory config.


Now the Secondary is now active and passing traffic everything is fine, the Primary is failed and is actually powered off.

The output from the show fail command on the active Secondary is


Failover On

Cable status: Other side powered off

Failover unit Secondary

Failover LAN Interface: N/A - Serial-based failover enabled

Unit Poll frequency 15 seconds, holdtime 45 seconds

Interface Poll frequency 15 seconds

Interface Policy 1

Monitored Interfaces 5 of 250 maximum

failover replication http

Last Failover at: 12:01:11 NZST Jan 1 1993

This host: Secondary - Active

Active time: 2700 (sec)

Interface inside (10.a.b.c): Normal (Waiting)

Interface outside (203.w.x.y): Normal (Waiting)

Interface dmz (10.g.h.i): Normal (Waiting)

Interface intf4 (0.0.0.0): Link Down (Waiting)

Interface intf5 (0.0.0.0): Link Down (Waiting)

Other host: Primary - Failed

Active time: 0 (sec)

Interface inside (10.a.b.d): Unknown (Waiting)

Interface outside (203.w.x.z): Unknown (Waiting)

Interface dmz (10.g.h.j): Unknown (Waiting)

Interface intf4 (0.0.0.0): Unknown (Waiting)

Interface intf5 (0.0.0.0): Unknown (Waiting)



The issue I have is threefold


1. If I power on the Primary PIX with no config, will the Secondary stay active without traffic interuption


2. If I do power on the Primary and all is well, can I send the config from the active Secondary to the failed Primary


3. If I do not power on the Primary, will the active Secondary, that is running the FO license, reboot after 24 hours, even if it recognises the Primary's state as powered off.


Thanks in advance


Paul


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
sachinraja Thu, 12/14/2006 - 18:28
User Badges:
  • Red, 2250 points or more

Hello paul,


please find the answers below:


1. If I power on the Primary PIX with no config, will the Secondary stay active without traffic interuption


Ans - Yes.. THe failover pix will remain primary and send traffic without traffic interruption. If you need to force the failover pix (which is primary now) to standby, u need to manually reboot it.. till that time, the failover pix acts as active and will continue forwarding traffic..


2. If I do power on the Primary and all is well, can I send the config from the active Secondary to the failed Primary


Ans - Use the command write standby to copy the configs to the failover unit...


3. If I do not power on the Primary, will the active Secondary, that is running the FO license, reboot after 24 hours, even if it recognises the Primary's state as powered off.


Ans - i dont think it will boot after 24 hours.. if you have a failover cable plugged and since it has already recognised a primary unit, it will remain stable. no issues in that


hope this helps.. all the best.. rate replies if found useful.


Raj

PJWHITBY Thu, 12/14/2006 - 20:05
User Badges:

I have no idea why it lost its config, unfortunately I am 3 timezones away from it.


Will the failed, currently powered off, Primary PIX with no config take the config from the active Secondary PIX when I power on the Primary PIX or will I need to issue any commands? Actually failing back to the Primary PIX is not a big issue, making sure that both PIX's have the same current config is the issue.


Thanks for your help and advice,


Paul

bthibode Thu, 12/14/2006 - 20:49
User Badges:

The config should be transferred to the Primary unit on bootup. To be safe, copy the running config from the Secondary into a text editor before powering on the Primary.


If, by chance, the empty config from the Primary is sent to your secondary, paste the config from the text document into your Primary, then issue a write standby.


The Cisco doc on this states: The active unit sends the configuration in running memory to the standby unit. As the configuration synchronizes, the messages "Sync Started" and "Sync Completed" appear on the primary console.


So, from this, I gather that the failover roles are not of importance in this case, only the failover states (active/standby). Since your Secondary unit is the Active, its config should be copied to your Primary (standby) unit.


I hope this goes well for you.


Bryan

PJWHITBY Tue, 12/19/2006 - 22:05
User Badges:

yes, you were right.


I powered on the failed Primary with no config on it, issued the command failover on it and the Secondary active just sent across its config!


Thanks Bryan.

Actions

This Discussion