Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Pix Failover issue - No Active

Hi,

I'm hoping this will be a quick and easy answer.

If i have a Pix FW setup as secondary but running as active due to issue with Primary.

Primary has been disconnected from the network and the Secondary, so the secondary is active but not connected to the Primary in anyway.

If the secondary and active Pix is rebooted, what state should it be in when it comes back online ?

This happened to a customer last night and it came back as standby and so all traffic was black holed, and neither Pix was online or at least active

Thanks

Stu

4 REPLIES
Cisco Employee

Re: Pix Failover issue - No Active

I understand that secondary was the active firewall, and primary was taken out of the failover cluster.

Then the secondary which was the active firewall was reloaded. At this point, is the primary firewall connected to the network? If it is, and they are not in cluster, both firewall will become active, and hence it explains why traffic went to black hole as both firewalls are active.

New Member

Re: Pix Failover issue - No Active

Hi,

The Primary Pix is not connected in anyway including the failover cable to the Secondary and active Pix.

So when the Secondary and active Pix (with failover only lic) reboots when it comes back online it cannot see the Primary Pix in anyway, not even via the failover cable. Should it become active or standby ?

In my case it came back as standby, and believ this is because it couldnt see the Primary Pix via the failover cable (even though it wasnt powered on), when it reboots and the failover cable is connected to the Primary and offline Pix is reboots as active, without the cable attached to the Primary and offlibe Pix is comes back as standby, but is this normal ?

Also as this seems to be rebooting every 24 hours csan this be prevented wihout bringing the Primary Pix back online ?

Thanks

Stu

Cisco Employee

Re: Pix Failover issue - No Active

When you reloaded the secondary active firewall, it should come back online as the active firewall if failover is turned on and if there is no cable connected to the primary firewall, the secondary will assume the active role because it assumes the peer is down.

With the serial cable failover, you would need  to check if the correct end of cable is connected to the correct PIX firewall. One end of the failover cable will be marked as primary end, and the other end of the cable will be marked as secondary as follows:

http://www.cisco.com/en/US/docs/security/pix/pix63/hw/installation/guide/515.html#wp1048874

With regards to the firewall reloading every 24 hours, you would need to get TAC to investigate the issue. Most likely the PIX firewall is hitting a bug that causes it to reload every 24 hours.

New Member

Re: Pix Failover issue - No Active

Stuart

I believe you are having PIX Firewall with one device UR License and another FO License . If this is the case and your previously Active Firewall is switched off currently , then the now Active Firewall (Secondary) having FO License will get rebooted every 24 Hrs if you are trying to pass all the traffic through it . If no Primary is connected to Secondary and Secondary [now Active] is reloaded ,  then Secondary will remain as Standby unit however will keep the traffic continue passing through . Please read the below link

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1124508

If your Firewall would have been ASA Firewall [or PIX with both device having UR Licenses] and if you would have encountered the same issue , then with Secondary being reloaded it would have come up as an Active device [with no rebooting every 24 hrs] on detecting that its peer unit is not there. Here one thing you have to keep in mind is that now in this situation if Primary is bought again into the production , then the traffic will get hampered .The reason being that as soon as Primary [Previously Active Unit] will come up , it will detect that already Secondary [Current Active] is acting as Active peer and will try to give its MAC Address to Secondary .However , at this time Secondary [Current Active] is using its burnt-in MAC Address [remember when Secondary was reloaded , Primary was switched off !!! ] rather than the MAC Address of Primary Firewall [as you know in Failover that Primary will gives its MAC to Secondary during failover]. So when Primary will try to give its MAC to Secondary it will accept and due to this network traffic will hamper as the downstream Switch will not be able to find the entry in its CAM Table for the new MAC . In order to resolve this we have to use Virtual MAC Address .In this case if Secondary boots up first , followed by Primary , then there will no network disruption .

Note : Virtual MAC should not be assigned during traffic passing through (i.e when devices in production) , it should be applied beforehand .

256
Views
0
Helpful
4
Replies
CreatePlease to create content