Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
862
Views
0
Helpful
7
Replies

Failover - Primary Reloaded

kevindickerson
Level 1
Level 1

‎05-22-2008 11:23 PM - edited ‎03-09-2019 08:46 PM

We are experiencing an interesting little problem with failover. Whilst performing some testing we discovered that when the Secondary Unit is Active, and the Primary unit is powered up, the primary unit will disrupt traffic flowing over the Secondary Unit. We do not see this issue if the secondary unit is power cycled.

Doing some further investigation, when the primary is powered up, it detects that its mate is Active and will then start the configuration replication, it is at this point that on the LAN you can see that the mac and IP address are now pointing at the Primary unit and all traffic is lost. It isn't until the configuration replication has finished that the mac and IP address point back to the Secondary.

I have had a look through the books and the site and I'm unable to see any reference to this scenario.

Version 7.0(4)

PIX-515E

failover

failover polltime unit msec 500 holdtime 3

failover polltime interface 3

failover link state Ethernet5

failover interface ip state 192.168.8.5 255.255.255.252 standby 192.168.8.6

Labels:
0 Helpful
7 Replies 7

andrew.prince
Level 10
Level 10

‎05-23-2008 02:58 AM

Kevin,

Check what interfaces you are monitoring for failover and make sure on the primary that all interfaces are OK up/up. I have also seen the monitoring of an interface that is up/up but with no IP address configured.

HTH.

0 Helpful

kevindickerson
Level 1
Level 1
In response to andrew.prince

‎05-23-2008 03:33 AM

Andrew,

The three interfaces that are being monitored are all in an up/up state with IP addresses.

They are also connected into a switch that has portfast enabled.

The way that we have gotten round it currently is to remove the interface cables from the back of the primary pix, power it on, wait for it to go into a failed state, then plug the cables back in. We then do not lose any network connectivity.

This isn't the ideal solution though

0 Helpful

andrew.prince
Level 10
Level 10
In response to kevindickerson

‎05-23-2008 03:40 AM

Kevin,

I have has a simular issue in the past - are you using the serial cable for the signaling failover heartbeat etc??

The other way I have done this - for a perm fix for this is:-

Turn both devices off, power up the primary first, then about 5 seconds later powere the secondary....when I have done this I never see the problem occur again?!

HTH.

0 Helpful

kevindickerson
Level 1
Level 1
In response to andrew.prince

‎05-23-2008 05:09 AM

Andrew,

We are using the serial cable for failover signalling heartbeat.

I have tried your perm fix, but I still have the same results if the Primary has a power failure.

0 Helpful

andrew.prince
Level 10
Level 10
In response to kevindickerson

‎05-23-2008 06:02 AM

Kevin,

try adding on the primary:-

failover replication http

then wr mem

0 Helpful

kevindickerson
Level 1
Level 1
In response to andrew.prince

‎06-09-2008 06:51 AM

I could find a few TAC case that had a similar symptom, but all had other strange circumstances that didn't match. In the end it was an upgrade from 7.0(4) to 7.0(8) and that has resolved the issue.

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to kevindickerson

‎06-09-2008 12:55 PM

Seems to be a bug, during config replication network traffic should not go down.

Also you could have a look at assigning virtual mac-addresses for failover (if this isn't a bug).

Regards

Farrukh

0 Helpful
Customers Also Viewed These Support Documents