A customer pose this question to us:

If I have two PIXes running FO and the datacentre has a total power failure (both PIXes down) and when power resumes - Primary pix suffers power supply problem. Secondary (FO-only) boots up - we'll have to manually activate it = this is fine.

But does it also mean we have to do this every 24hours until the we replace the primary unit?

Is the FO-only pix controlled by software or hardware?

---------snippet--------

On 6.2, The FO-only PIX without the FO link connected, will boot and come online but not become active.

The command failover active must be manually executed to make the unit active.

The unit will reload itself every following 24 hours, requiring another manual failover active to make it active each time

-----------snippet----------

I don`t see this behavior when running PIX 6.3

Is there any changes from 6.2 to 6.3 with the above specification ??

This is the test that PIX 6.3 FO will not reboot even the failover cable is not connected. Can anyone verify this changes ?

The uptime of this pix is already 17 days without rebooting (se the sh version output below)

From "show failover" shows that the failover cable is not connected.

--------from sh ver output-----------------

Cisco PIX Firewall Version 6.3(1)

Cisco PIX Device Manager Version 1.1(2)

Compiled on Wed 19-Mar-03 11:49 by morlee

pix515 up 17 days 22 hours

Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz

Flash E28F128J3 @ 0x300, 16MB

BIOS Flash AM29F400B @ 0xfffd8000, 32KB

Encryption hardware device : IRE2141 with 2048KB, HW:1.0, CGXROM:1.9, FW:6.5

0: ethernet0: address is 000c.cee5.5955, irq 10

1: ethernet1: address is 000c.cee5.5956, irq 11

2: ethernet2: address is 00e0.b606.b38f, irq 11

3: ethernet3: address is 00e0.b606.b38e, irq 10

4: ethernet4: address is 00e0.b606.b38d, irq 9

5: ethernet5: address is 00e0.b606.b38c, irq 5

Licensed Features:

Failover: Enabled

VPN-DES: Enabled

VPN-3DES-AES: Disabled

Maximum Interfaces: 6

Cut-through Proxy: Enabled

Guards: Enabled

URL-filtering: Enabled

Inside Hosts: Unlimited

Throughput: Unlimited

IKE peers: Unlimited

This PIX has a Failover Only (FO) license.

------------------------------------------------

---------from show failover output-------------

pix515(config)# sh fail

Failover On

Cable status: My side not connected

Reconnect timeout 0:00:00

Poll frequency 15 seconds

This host: Secondary - Active

Active time: 1546875 (sec)

Interface outside (1.1.1.1): Normal (Waiting)

Interface inside (192.168.1.1): Normal (Waiting)

Interface intf2 (172.16.1.1): Link Down (Waiting)

Interface intf3 (0.0.0.0): Link Down (Shutdown)

Interface intf4 (0.0.0.0): Link Down (Shutdown)

Interface intf5 (0.0.0.0): Link Down (Shutdown)

Other host: Primary - Standby

Active time: 300 (sec)

Interface outside (1.1.1.2): Normal

Interface inside (192.168.1.2): Normal

Interface intf2 (172.16.1.2): Normal

Interface intf3 (0.0.0.0): Link Down (Shutdown)

Interface intf4 (0.0.0.0): Link Down (Shutdown)

Interface intf5 (0.0.0.0): Link Down (Shutdown)

Stateful Failover Logical Update Statistics

Link : intf2

Stateful Obj xmit xerr rcv rerr

<--- More ---> General 31 0 31 0

sys cmd 31 0 31 0

up time 0 0 0 0

xlate 0 0 0 0

gre conn 0 0 0 0

tcp conn 0 0 0 0

udp conn 0 0 0 0

ARP tbl 0 0 0 0

RIP Tbl 0 0 0 0

Logical Update Queue Information

Cur Max Total

Recv Q: 0 1 31

Xmit Q: 0 1 31

pix515(config)#

-------------------------------------------

I downgraded the FO licence PIX from v6.3.1 to v6.2.2 . After 24 hours it rebooted.

Conclusion is version 6.3.1 will not reboot even if the failover cable is not connected.

Regards,