EMC FC4700 Secondary Image Failure

3-6

EMC Fibre Channel Storage System Model FC4700 Configuration Planning Guide

About MirrorView Remote Mirroring Software

Secondary Image Failure

A secondary image failure may bring the mirror below the minimum

number of images required; if so, this triggers a mirror failure. When

a primary cannot communicate with a secondary image, it marks the

secondary as unreachable and stops trying to write to it. However, the

secondary image remains a member of the mirror.

The primary also attempts to minimize the amount of work required

to synchronize the secondary after it recovers. It does this by

fracturing the mirror. This means that, while the secondary is

unreachable, the primary keeps track of all write requests so that only

those blocks that were modified need to be copied to the secondary

during recovery. When the secondary is repaired, the software writes

the modified blocks to it, and then starts mirrored writes to it.

The following table shows how MirrorView might help you recover

from system failure at the primary and secondary sites. It assumes

that the mirror is active and is in the in-sync or consistent state.

Table 3- 1 MirrorView Recovery Scenarios

Event Result and recovery

Server or storage system

running primary image fails. Option 1 - Catastrophic failure, repair is difficult or impossible.

The mirror goes to the attention state. If a host is attached to the secondary storage system,

the administrator promotes secondary image, and then takes other prearranged recovery

steps required for application startup on standby host.

Note: Any writes in progress when the primary image fails may not propagate to the secondar y

image. Also, if the remote image was fractured at the time of the failure, any writes since the

fracture will not have propagated.

Option 2 -Non-catastrophic failure, repair is feasible.

The mirror goes to the attention state. The administrator has the problem fixed, and then

synchronizes the secondary image. The write intent log, if used, shortens the sync time

needed. If a write intent log is not used, or the secondary LUN was fractured at the time of

failure, then a full synchronization is necessary.

Storage system running

secondary image fails. The mirror goes to attention state, rejecting I/O. The administrator has a choice: If the

secondary can easily be fixed (for example, if someone pulled out a cable), then the

administrator can have it fixed and let things resume. If the secondary can't easily be fixed, the

administrator can reduce the minimum number of secondary images required to let the mirror

become active. Later, the secondary can be fixed and the minimum number of required images

can be changed.