I understand that secondary was the active firewall, and primary was taken out of the failover cluster.
Then the secondary which was the active firewall was reloaded. At this point, is the primary firewall connected to the network? If it is, and they are not in cluster, both firewall will become active, and hence it explains why traffic went to black hole as both firewalls are active.
The Primary Pix is not connected in anyway including the failover cable to the Secondary and active Pix.
So when the Secondary and active Pix (with failover only lic) reboots when it comes back online it cannot see the Primary Pix in anyway, not even via the failover cable. Should it become active or standby ?
In my case it came back as standby, and believ this is because it couldnt see the Primary Pix via the failover cable (even though it wasnt powered on), when it reboots and the failover cable is connected to the Primary and offline Pix is reboots as active, without the cable attached to the Primary and offlibe Pix is comes back as standby, but is this normal ?
Also as this seems to be rebooting every 24 hours csan this be prevented wihout bringing the Primary Pix back online ?
When you reloaded the secondary active firewall, it should come back online as the active firewall if failover is turned on and if there is no cable connected to the primary firewall, the secondary will assume the active role because it assumes the peer is down.
With the serial cable failover, you would need to check if the correct end of cable is connected to the correct PIX firewall. One end of the failover cable will be marked as primary end, and the other end of the cable will be marked as secondary as follows:
I believe you are having PIX Firewall with one device UR License and another FO License . If this is the case and your previously Active Firewall is switched off currently , then the now Active Firewall (Secondary) having FO License will get rebooted every 24 Hrs if you are trying to pass all the traffic through it . If no Primary is connected to Secondary and Secondary [now Active] is reloaded , then Secondary will remain as Standby unit however will keep the traffic continue passing through . Please read the below link
If your Firewall would have been ASA Firewall [or PIX with both device having UR Licenses] and if you would have encountered the same issue , then with Secondary being reloaded it would have come up as an Active device [with no rebooting every 24 hrs] on detecting that its peer unit is not there. Here one thing you have to keep in mind is that now in this situation if Primary is bought again into the production , then the traffic will get hampered .The reason being that as soon as Primary [Previously Active Unit] will come up , it will detect that already Secondary [Current Active] is acting as Active peer and will try to give its MAC Address to Secondary .However , at this time Secondary [Current Active] is using its burnt-in MAC Address [remember when Secondary was reloaded , Primary was switched off !!! ] rather than the MAC Address of Primary Firewall [as you know in Failover that Primary will gives its MAC to Secondary during failover]. So when Primary will try to give its MAC to Secondary it will accept and due to this network traffic will hamper as the downstream Switch will not be able to find the entry in its CAM Table for the new MAC . In order to resolve this we have to use Virtual MAC Address .In this case if Secondary boots up first , followed by Primary , then there will no network disruption .
Note : Virtual MAC should not be assigned during traffic passing through (i.e when devices in production) , it should be applied beforehand .
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :