PIX 515e 6.3 to 7.0 Failover disable

Unanswered Question
Apr 12th, 2007
User Badges:

hi,


i was running a failover set of pix515e version 6.3(4). I upgraded my device to 7.1 and now i failover is disabled. I get the asdm syslog messages:

(Primary) Disabling failover

(Primary) Mate license (VPN-3DES-AES Enabled) is not compatible with my license(VPN-3DES-AES Disabled)



pls comments

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
mark.hodge Thu, 04/12/2007 - 07:20
User Badges:

Check the software on both devices "show ver" and ensure that the encryption level is the same on both. I would suspect the primary device hasn't been upgraded.


If it is upgrade ASDM on both, I have had issues where the compatability checks gave incorect errors.

adil.ibrahim Fri, 04/13/2007 - 02:59
User Badges:

hi Mark,


i've turned off failover box still getting the error. pls find attached file of show version and show run.


regs,




Attachment: 
mark.hodge Tue, 04/17/2007 - 10:32
User Badges:

Adil,


from your "sh ver" I see


VPN-3DES-AES : Disabled


I would strongly suspect it is Enabled on the other device.


You will need a CCO ID, but you can register for a free upgrade, assuming you are in a country where shuch encryption is legal.


This link might work

https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet?DemoKeys=Y


If not


login" target="_blank">www.cisco.com->login


Software Downloads->Cisco Secure Software


PIX Security Appliance Software


*FREE* Reguister for PIX DES or 3DES/AES IPsec software feature keys


You don't have a PAK so "click here for available licenses"


Under Security Products select the licence you want, and then fill in all the paperwork.



You will need to enter the new license and then reboot, which will cause an interupt to service as you have turned off the secondary device. Once the reboot has completed turn the secondary back on and all should be well.

adil.ibrahim Tue, 04/17/2007 - 20:40
User Badges:

Hi,


you are right, but can you tell me how can i disable 3des encryption on the other device so that i've same settings on both device. i want to do like this becasue my device has 64 mb of ram and 3des requires 128mb ram.


thanks

mark.hodge Wed, 04/18/2007 - 03:15
User Badges:

Never done it, but you should be able to request a DES license for the secondary in the same way.


I don't have a device handy to check, but I am 99% sure that you can have a 3DES license on a 64 MB device, the only requirement for 128 MB is Version 7 software.


*please rate previous posts if they are/were helpfull*

Actions

This Discussion