PIX OS 7.x failover and VPN.

Unanswered Question
Apr 29th, 2007

Hi all,

I want to configure on our PIX 525(PIX OS 7.x)failover. Throught serial cable and dedicated interface.

My question is:

We have IP addresses on inside, outside and DMZs. I assign on primary PIX other IP addresses (for secondary PIX).

What happens related to VPN when failover occures?

We use VPN to connect our users to our

primary IP address of PIX (on outside). And for primary PIX we have certificate issued.

I know that when we configure failover

than configuration will be replicated but we are confused about secondary IP address and maybe problems related to this. Should we allow VPN traffic throught our active devices on new IP

address as well?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
romason Tue, 05/01/2007 - 19:52

The active IP should remain the same upon failover.

Also the certificate should replicate as well once installed on the active PIX and after issuing a wr mem.


Standby unit should not enroll its own certificate, at least for VPN failover purposes.

If active/standby do not have the same key/certificate, VPN tunnels cannot survive across failover.

When standby unit first join the active unit, all the keys on the standby unit will be erased and then re-populated by the active unit.

Not sure what 7.x code you are running but this bug may be of interest:


Externally found moderate defect: Verified (V)

VPN stateful failover gets out of sync



johnleeee Wed, 05/02/2007 - 00:56

Hi Chuck,

thats the problem. Iv configured a failover

with 7.0.4 PIX OS. But a certificate from primary PIX did not copy to secondary. How to resolve this kind of problem?

About the IP addresses: Why I need to configure secondary IP address when over there will be still in use primary IP address?



romason Wed, 05/02/2007 - 15:38

The IP is how you reach each device. Upon a failover the IPs swap between the boxes but the MAC addresses remain the same.

If the cert is on the active, please enable the the following debug:

(config)# debug fover sync

While capturing the debug output from the "standby" box,

Issue a "wr standby" on the active and let me know what you get.



johnleeee Wed, 05/02/2007 - 23:27

Hi Chuck,

thanks a lot for the answer and help.

It was helpful for us. Config is the same now

and I see certificate on both devices.

But I dont know where the problem was because when I issued wr standby and I saw on standby PIX, the certificates were over there.

Thanks a lot.



This Discussion