Standby PIX to be changed

Unanswered Question
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (5 ratings)
Loading.
vitripat Tue, 06/12/2007 - 09:56
User Badges:
  • Gold, 750 points or more

Hey Neo,


Here are the steps you need to perform-


1) Make sure the new PIX has exactly same hardware/software as current secondary PIX and it also has appropriate license to run as Secondary Firewall.


2) Make sure Primary PIX is running as "Active" Firewall and passing all traffic.


3) Perform "write erase" on the new PIX and reload. After reload, dont make any configuration changes if using cable-based failover and just issue "write memory" command.


If using Lan-based failover, perform necessary commands in order to establish this unit as Secondary unit. You can refer to following link for the same-


http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/failover.html#wp1061335


Once done, shut down the new PIX.


4) Shut down the current Secondary PIX and disconnect all the cables.


5) Connect New Secondary PIX.


6) Bootup the new PIX.


Once new PIX comes up, it should automatically detect a running Active Firewall and sync configuration from there.


Hope this helps.


Regards,

Vibhor.

anandramapathy Wed, 06/13/2007 - 04:10
User Badges:
  • Bronze, 100 points or more

For LAN-based failover, you must set up the Ethernet link in advance. You must also define each unit as a primary or secondary unit within the configuration (as opposed to cable-based failover, where the serial failover cable itself defines these roles).


The active unit sends the configuration in running memory to the standby unit. On the standby unit, the configuration exists only in running memory. You can optionally save the configuration to Flash memory using the write memory command. If you save the configuration to Flash memory, and you reboot the standby unit when the active unit is unavailable, the standby unit can become the active unit because it has a valid configuration.



anandramapathy Wed, 06/13/2007 - 05:02
User Badges:
  • Bronze, 100 points or more

Ensure the following is displayed when u do a show version


Licensed Features:

Failover: Enabled






FW# sh ver


Cisco PIX Firewall Version 6.3(4)

Cisco PIX Device Manager Version 3.0(2)


Compiled on Fri 02-Jul-04 00:07 by morlee


FW up 284 days 5 hours


Hardware: PIX-515, 64 MB RAM, CPU Pentium 200 MHz

Flash i28F640J5 @ 0x300, 16MB

BIOS Flash AT29C257 @ 0xfffd8000, 32KB


0: ethernet0: address is 0003.6bf6.693a, irq 11

1: ethernet1: address is 0003.6bf6.693b, irq 10

2: ethernet2: address is 0003.476b.cc72, irq 9

3: ethernet3: address is 0003.476b.ce5f, irq 7

Licensed Features:

Failover: Enabled

VPN-DES: Enabled

VPN-3DES-AES: Enabled

Maximum Physical Interfaces: 6

Maximum Interfaces: 10

Cut-through Proxy: Enabled

Guards: Enabled

URL-filtering: Enabled

Inside Hosts: Unlimited

Throughput: Unlimited

IKE peers: Unlimited


This PIX has an Unrestricted (UR) license.


Serial Number:

Running Activation Key:

Configuration has not been modified since last system restart.

FW#



anandramapathy Wed, 06/13/2007 - 05:45
User Badges:
  • Bronze, 100 points or more

If you are using PDM, Match is preferred.


All configs / features done on PDM on primary should be visible on the secondary too. In such case it is very much reqd.


Installing PDM is not so difficult. Upload the same file as in primary to the new secondary.

vitripat Wed, 06/13/2007 - 08:08
User Badges:
  • Gold, 750 points or more

Hi,


Matching PDM version is *not* required for failover to work.


How to make sure that new PIX becomes "Standby"?


1) A Secondary unit can have either UR or Failover-Only license.

2) In cable-based failover, the *end* of the serial cable marked as "secondary", should go into the Secondary/New firewall.

3) In Lan-based failover, you specifically configure the Secondary PIX to make declare itself as "Secondary" firewall.


Assuming that you have taken care of points mentioned above, and Primary PIX is running as Active PIX, when you bootup the new Secondary PIX, it will definately come up as Standby unit .. given that there are not hardware issues .. :-D


Hope that helps.


Regards,

Vibhor.

vitripat Thu, 06/14/2007 - 07:29
User Badges:
  • Gold, 750 points or more

Hi Neo,


There wont be any issues if both firewalls have UR license.


Regards,

Vibhor.

Actions

This Discussion