06-17-2003 10:26 AM - edited 03-09-2019 03:42 AM
I have redundant PIX515E - UR+FO. I would need to test a special configuration for a short time. I have an idea to detach the standby pix with a failover licence, erase configuration and use it with a new configuration as a standalone box. After test I would attach it back.
Do you see any problem / risk with this procedure?
Solved! Go to Solution.
06-17-2003 12:08 PM
Hi David,
The FO-only pix (6.1 and earlier) will not come up WITHOUT the FO link. The unit cannot be made to become operational without attaching the failover serial cable to it.attached to it.
On 6.2, The FO-only PIX without the FO link connected, will boot and come online but not become active.
The command failover active must be manually executed to make the unit active.
The unit will reload itself every following 24 hours, requiring another manual failover active to make it active each time.
06-17-2003 12:08 PM
Hi David,
The FO-only pix (6.1 and earlier) will not come up WITHOUT the FO link. The unit cannot be made to become operational without attaching the failover serial cable to it.attached to it.
On 6.2, The FO-only PIX without the FO link connected, will boot and come online but not become active.
The command failover active must be manually executed to make the unit active.
The unit will reload itself every following 24 hours, requiring another manual failover active to make it active each time.
10-13-2003 11:53 PM
A customer pose this question to us:
If I have two PIXes running FO and the datacentre has a total power failure (both PIXes down) and when power resumes - Primary pix suffers power supply problem. Secondary (FO-only) boots up - we'll have to manually activate it = this is fine.
But does it also mean we have to do this every 24hours until the we replace the primary unit?
Is the FO-only pix controlled by software or hardware?
10-14-2003 12:36 AM
---------snippet--------
On 6.2, The FO-only PIX without the FO link connected, will boot and come online but not become active.
The command failover active must be manually executed to make the unit active.
The unit will reload itself every following 24 hours, requiring another manual failover active to make it active each time
-----------snippet----------
I don`t see this behavior when running PIX 6.3
Is there any changes from 6.2 to 6.3 with the above specification ??
10-14-2003 01:15 AM
This is the test that PIX 6.3 FO will not reboot even the failover cable is not connected. Can anyone verify this changes ?
The uptime of this pix is already 17 days without rebooting (se the sh version output below)
From "show failover" shows that the failover cable is not connected.
--------from sh ver output-----------------
Cisco PIX Firewall Version 6.3(1)
Cisco PIX Device Manager Version 1.1(2)
Compiled on Wed 19-Mar-03 11:49 by morlee
pix515 up 17 days 22 hours
Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0x300, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
Encryption hardware device : IRE2141 with 2048KB, HW:1.0, CGXROM:1.9, FW:6.5
0: ethernet0: address is 000c.cee5.5955, irq 10
1: ethernet1: address is 000c.cee5.5956, irq 11
2: ethernet2: address is 00e0.b606.b38f, irq 11
3: ethernet3: address is 00e0.b606.b38e, irq 10
4: ethernet4: address is 00e0.b606.b38d, irq 9
5: ethernet5: address is 00e0.b606.b38c, irq 5
Licensed Features:
Failover: Enabled
VPN-DES: Enabled
VPN-3DES-AES: Disabled
Maximum Interfaces: 6
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: Unlimited
Throughput: Unlimited
IKE peers: Unlimited
This PIX has a Failover Only (FO) license.
------------------------------------------------
---------from show failover output-------------
pix515(config)# sh fail
Failover On
Cable status: My side not connected
Reconnect timeout 0:00:00
Poll frequency 15 seconds
This host: Secondary - Active
Active time: 1546875 (sec)
Interface outside (1.1.1.1): Normal (Waiting)
Interface inside (192.168.1.1): Normal (Waiting)
Interface intf2 (172.16.1.1): Link Down (Waiting)
Interface intf3 (0.0.0.0): Link Down (Shutdown)
Interface intf4 (0.0.0.0): Link Down (Shutdown)
Interface intf5 (0.0.0.0): Link Down (Shutdown)
Other host: Primary - Standby
Active time: 300 (sec)
Interface outside (1.1.1.2): Normal
Interface inside (192.168.1.2): Normal
Interface intf2 (172.16.1.2): Normal
Interface intf3 (0.0.0.0): Link Down (Shutdown)
Interface intf4 (0.0.0.0): Link Down (Shutdown)
Interface intf5 (0.0.0.0): Link Down (Shutdown)
Stateful Failover Logical Update Statistics
Link : intf2
Stateful Obj xmit xerr rcv rerr
<--- More ---> General 31 0 31 0
sys cmd 31 0 31 0
up time 0 0 0 0
xlate 0 0 0 0
gre conn 0 0 0 0
tcp conn 0 0 0 0
udp conn 0 0 0 0
ARP tbl 0 0 0 0
RIP Tbl 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 1 31
Xmit Q: 0 1 31
pix515(config)#
-------------------------------------------
10-15-2003 01:43 AM
I downgraded the FO licence PIX from v6.3.1 to v6.2.2 . After 24 hours it rebooted.
Conclusion is version 6.3.1 will not reboot even if the failover cable is not connected.
Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide