Setting the fence level, Transferring sense information between sites, File and database recovery procedures – HP StorageWorks XP Remote Web Console Software User Manual
Page 147
capability is essential if this fence level setting is used. For disaster recovery, the currency of the
S-VOL is determined by using the sense information transferred via host failover or by comparing
the S-VOL contents with other files confirmed to be current.
Setting the Fence Level
When a takeover by the S-VOL occurs as shown in
(two errors have already
occurred), Data(V) remains in the rollback process at the secondary host, and full recovery cannot
be performed. To avoid this situation, you can define the fence level of the Redo log file as Data,
so that the P-VOL returns an error if a data disagreement is expected to occur concerning a write
request issued from the host. The Data fence level setting maintains full consistency between the
Redo log file and the data file, since no data is written to the data file due to the write error at the
log file. However, when the fence level is defined as Data, a write I/O causes an error even when
processing has been suspended due to an error at the S-VOL. In this case, a takeover by the S-VOL
occurs, and the significance of the duplex system will be lost. Therefore, if you define the fence
level as Data, applications must be able to cope with write I/O errors by handling them. Systems
that allow disk errors by means of multiplication can function with the Data fence level setting. For
example, Oracle multiplies the Redo log file by itself (default = three times).
Figure 55 Relationship Between Log File and Data File in PAIR Status
Since most UNIX file systems (excluding JFS and VxFS) have no journal files, the P-VOL fence level
should be defined as Never. When a takeover by the S-VOL occurs, fsck is executed on the volume
and the file system is cleaned up, even if the S-VOL is undefined at the secondary host. The data
that will be lost depends on how much differential data is contained in the P-VOL when the S-VOL
is suspended. During operation, error recovery should be performed when the suspended status
(PSUE) is detected (when one error occurs).
Transferring Sense Information Between Sites
When the MCU (or RCU for XP Continuous Access Asynchronous) suspends an XP Continuous
Access pair due to an error condition, the MCU/RCU sends sense information with the unit check
status to the appropriate host(s). This sense information is used during disaster recovery to determine
the currency of the S-VOL, and must be transferred to the remote site via the host failover software
.
File and Database Recovery Procedures
When an XP Continuous Access Synchronous pair is suspended, or when the MCU fails due to a
disaster, the S-VOL may contain in-process data. A data set could be open, or transactions may
not have completed. Even if you use the Data fence level for all XP Continuous Access Synchronous
pairs, you need to establish file recovery procedures. These procedures should be the same as
those used for recovering any volume that becomes inaccessible due to control unit failure. These
procedures are more important if the Status or Never fence level settings are used.
XP Continuous Access Asynchronous does not provide any procedure for detecting and retrieving
lost updates. To detect and recreate lost updates, you must check other current information (for
example, database journal log file that was active at the primary system when the disaster occurred).
Using XP Continuous Access for Disaster Recovery Operations
147