We had a failover last weekend and I can't figure out why it didn't go as it should have. The logs show this sequence of events:
103005 (Secondary) Other firewall reporting failure.
105009 (Secondary) Testing on interface 3 Passed
105003 (Secondary) Monitoring on interface 2 waiting
105003 (Secondary) Monitoring on interface 0 waiting
105003 (Secondary) Monitoring on interface 1 waiting
According to the log, It appeared that traffic continued after that. However, no one was getting in. When I got to the device, the interfaces were down on the primary but "line" was up. I manually enabled the interfaces again and finally, the secondary took over and went active. After a reboot of the primary, it took back control and all was well. Why didn't failover go through when it was first kicked off?
All I can think of is that something caused the interfaces to go down which included the failsafe interface so the failover couldn't complete. Any ideas?
I can verify that they are now. However, I just came into this environment so not sure if they were before. From what I understand, a sync doesn't have to be done manually. I can only assume "yes". Stateful failover is enabled and they are on the same switch.
If the switch that joins those interfaces fails, then those interfaces will not be available. When the interface is in monitoring state it means it is waiting for it to come up. I am thinking it was the switch that joins the two firewalls that failed and not the firewall. Here is a doc that discuss the pix failover.
Thanks for the info. I may not have been specific enough. They share a switch for incoming traffic, but the failover interfaces are connected via a crossover cable.The traffic that was denied was specific to the firewall. Ironically the failover did go through the entire process once I enabled the interfaces (including the interface that has the crossover cable). I guess the question is, what caused the interfaces to go down including the failover interface? I will test again next downtime. Thanks for your thoughts.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :