我们上周在数据中心停电,当运行IOS 7.0(8)(configuration了故障切换电缆)的双PIX 515E回来时,它们处于故障切换状态,其中辅助设备处于活动状态,主设备是待机我已经尝试了“故障切换重置”,“故障切换激活”和“故障切换重新加载备用”以及按照各种命令在两个单元上执行重新加载,并且它们不返回主/主备用/备用。 我没有尝试过的唯一一件事情就是开往数据中心并进行硬重启,这是我讨厌的事情。
我已经阅读了思科安全防火墙上的故障转移工作原理 ,看起来这应该是非常糟糕的。
在主show failover上输出show failover :
Failover On Cable status: Normal Failover unit Primary Failover LAN Interface: N/A - Serial-based failover enabled Unit Poll frequency 15 seconds, holdtime 45 seconds Interface Poll frequency 15 seconds Interface Policy 1 Monitored Interfaces 2 of 250 maximum Version: Ours 7.0(8), Mate 7.0(8) Last Failover at: 02:52:05 UTC Mar 10 2010 This host: Primary - Standby Ready Active time: 0 (sec) Interface outside (xxx165): Normal Interface inside (yyy3): Normal Other host: Secondary - Active Active time: 897045 (sec) Interface outside (xxx164): Normal Interface inside (yyy4): Normal Stateful Failover Logical Update Statistics Link : Unconfigured.
在次要show failover上输出show failover :
Failover On Cable status: Normal Failover unit Secondary Failover LAN Interface: N/A - Serial-based failover enabled Unit Poll frequency 15 seconds, holdtime 45 seconds Interface Poll frequency 15 seconds Interface Policy 1 Monitored Interfaces 2 of 250 maximum Version: Ours 7.0(8), Mate 7.0(8) Last Failover at: 02:03:04 UTC Feb 28 2010 This host: Secondary - Active Active time: 896925 (sec) Interface outside (xxx164): Normal Interface inside (yyy4): Normal Other host: Primary - Standby Ready Active time: 0 (sec) Interface outside (xxx165): Normal Interface inside (yyy3): Normal Stateful Failover Logical Update Statistics Link : Unconfigured.
我在我的系统日志中看到以下内容:
Mar 10 03:05:00 fw1 %PIX-5-111008: User 'enable_15' executed the 'failover reset' command. Mar 10 03:05:09 fw1 %PIX-5-111008: User 'enable_15' executed the 'failover reload-standby' command. Mar 10 03:05:12 fw1 %PIX-6-720032: (VPN-Secondary) HA status callback: id=3,seq=200,grp=0,event=406,op=20,my=Active,peer=Failed. Mar 10 03:05:12 fw1 %PIX-6-720028: (VPN-Secondary) HA status callback: Peer state Failed. Mar 10 03:06:09 fw1 %PIX-6-720032: (VPN-Secondary) HA status callback: id=3,seq=200,grp=0,event=401,op=0,my=Active,peer=Failed. Mar 10 03:06:09 fw1 %PIX-6-720024: (VPN-Secondary) HA status callback: Control channel is down. Mar 10 03:06:09 fw1 %PIX-6-720032: (VPN-Secondary) HA status callback: id=3,seq=200,grp=0,event=401,op=1,my=Active,peer=Failed. Mar 10 03:06:10 fw1 %PIX-6-720024: (VPN-Secondary) HA status callback: Control channel is up. Mar 10 03:06:10 fw1 %PIX-6-720032: (VPN-Secondary) HA status callback: id=3,seq=200,grp=0,event=411,op=2,my=Active,peer=Failed. Mar 10 03:06:23 fw1 %PIX-6-720032: (VPN-Secondary) HA status callback: id=3,seq=200,grp=0,event=406,op=80,my=Active,peer=Standby Ready. Mar 10 03:06:23 fw1 %PIX-6-720028: (VPN-Secondary) HA status callback: Peer state Standby Ready. Mar 10 03:06:24 fw2 %PIX-6-720027: (VPN-Primary) HA status callback: My state Standby Ready. Mar 10 03:07:05 fw1 %PIX-5-111008: User 'enable_15' executed the 'failover reset' command. Mar 10 03:07:31 fw1 %PIX-5-111008: User 'enable_15' executed the 'failover active' command. Mar 10 03:08:04 fw1 %PIX-5-611103: User logged out: Uname: enable_1 Mar 10 03:08:04 fw1 %PIX-6-315011: SSH session from admin1_int on interface inside for user "pix" terminated normally Mar 10 03:08:39 fw1 %PIX-6-720032: (VPN-Secondary) HA status callback: id=3,seq=200,grp=0,event=406,op=20,my=Active,peer=Failed. Mar 10 03:08:39 fw1 %PIX-6-720028: (VPN-Secondary) HA status callback: Peer state Failed. Mar 10 03:09:10 fw1 %PIX-6-605005: Login permitted from admin1_int/36891 to inside:192.168.4.4/ssh for user "pix" Mar 10 03:09:23 fw1 %PIX-5-111008: User 'enable_15' executed the 'failover reset' command. Mar 10 03:09:38 fw1 %PIX-6-720032: (VPN-Secondary) HA status callback: id=3,seq=200,grp=0,event=401,op=0,my=Active,peer=Failed. Mar 10 03:09:39 fw1 %PIX-6-720024: (VPN-Secondary) HA status callback: Control channel is down. Mar 10 03:09:39 fw1 %PIX-6-720032: (VPN-Secondary) HA status callback: id=3,seq=200,grp=0,event=401,op=1,my=Active,peer=Failed. Mar 10 03:09:39 fw1 %PIX-6-720024: (VPN-Secondary) HA status callback: Control channel is up. Mar 10 03:09:39 fw1 %PIX-6-720032: (VPN-Secondary) HA status callback: id=3,seq=200,grp=0,event=411,op=2,my=Active,peer=Failed. Mar 10 03:09:52 fw1 %PIX-6-720032: (VPN-Secondary) HA status callback: id=3,seq=200,grp=0,event=406,op=80,my=Active,peer=Standby Ready. Mar 10 03:09:52 fw1 %PIX-6-720028: (VPN-Secondary) HA status callback: Peer state Standby Ready. Mar 10 03:09:53 fw2 %PIX-6-720027: (VPN-Primary) HA status callback: My state Standby Ready.
我不确定如何解释这个syslog数据。 小学似乎甚至没有尝试成为主动。 当我单独重新装载各个单元时,我的连接被保留,所以似乎没有真正的硬件故障。 有什么我可以查询(IOS或SNMP)检查硬件问题?
有什么想法吗? 我的IOS-fu很弱。
感谢你提供的任何帮助,亚伦
请不要使用natacado提到的no failover命令。 而是在辅助(当前活动)防火墙上使用no failover active命令。 第一个命令closures故障转移; 第二个命令放弃活动状态到HA对中的另一个防火墙。 如果运行failover active ,请在主要(当前待机)防火墙上运行。
我不相信当主防火墙准备再次处理通信时,PIX提供了一种设施来允许自动抢占。
请发布您的故障转移configuration(“show run failover”)。 或者尝试启用抢占(您将需要手动指定哪个单元是主要的,而whis是次要的)。
至less在ASA5500系列设备中,您需要的是在VPN-Primary上运行以下内容:
no failover
这也应该适用于相对较新的操作系统的PIX。 从本质上讲,将failover看作是告诉单元尝试使辅助单元成为活动单元的命令,并且像许多configuration命令一样, no failover将移除操作。
FWIW,我们能够解决这个问题的唯一方法是通过断开两个防火墙的电源,然后以正确的顺序将它们备份。 上述build议都没有能够为我解决这个问题。 尽pipe感谢大家的时间和帮助。