Standby PIX to be changed

Unanswered Question

I have two PIXs one in Active and other in Standby mode .I had face some problem in standby PIX ,due to which I want to change my Standby PIX. Kindly let me know what all steps should I keep in mind before going ahead to do this activity.

Those are PIX515 using 6.3(5) runnig in failover mode.

regards

Neo

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (5 ratings)
Loading.
vitripat Tue, 06/12/2007 - 09:56

Hey Neo,

Here are the steps you need to perform-

1) Make sure the new PIX has exactly same hardware/software as current secondary PIX and it also has appropriate license to run as Secondary Firewall.

2) Make sure Primary PIX is running as "Active" Firewall and passing all traffic.

3) Perform "write erase" on the new PIX and reload. After reload, dont make any configuration changes if using cable-based failover and just issue "write memory" command.

If using Lan-based failover, perform necessary commands in order to establish this unit as Secondary unit. You can refer to following link for the same-

http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/failover.html#wp1061335

Once done, shut down the new PIX.

4) Shut down the current Secondary PIX and disconnect all the cables.

5) Connect New Secondary PIX.

6) Bootup the new PIX.

Once new PIX comes up, it should automatically detect a running Active Firewall and sync configuration from there.

Hope this helps.

Regards,

Vibhor.

anandramapathy Wed, 06/13/2007 - 04:10

For LAN-based failover, you must set up the Ethernet link in advance. You must also define each unit as a primary or secondary unit within the configuration (as opposed to cable-based failover, where the serial failover cable itself defines these roles).

The active unit sends the configuration in running memory to the standby unit. On the standby unit, the configuration exists only in running memory. You can optionally save the configuration to Flash memory using the write memory command. If you save the configuration to Flash memory, and you reboot the standby unit when the active unit is unavailable, the standby unit can become the active unit because it has a valid configuration.

anandramapathy Wed, 06/13/2007 - 05:02

Ensure the following is displayed when u do a show version

Licensed Features:

Failover: Enabled

FW# sh ver

Cisco PIX Firewall Version 6.3(4)

Cisco PIX Device Manager Version 3.0(2)

Compiled on Fri 02-Jul-04 00:07 by morlee

FW up 284 days 5 hours

Hardware: PIX-515, 64 MB RAM, CPU Pentium 200 MHz

Flash i28F640J5 @ 0x300, 16MB

BIOS Flash AT29C257 @ 0xfffd8000, 32KB

0: ethernet0: address is 0003.6bf6.693a, irq 11

1: ethernet1: address is 0003.6bf6.693b, irq 10

2: ethernet2: address is 0003.476b.cc72, irq 9

3: ethernet3: address is 0003.476b.ce5f, irq 7

Licensed Features:

Failover: Enabled

VPN-DES: Enabled

VPN-3DES-AES: Enabled

Maximum Physical Interfaces: 6

Maximum Interfaces: 10

Cut-through Proxy: Enabled

Guards: Enabled

URL-filtering: Enabled

Inside Hosts: Unlimited

Throughput: Unlimited

IKE peers: Unlimited

This PIX has an Unrestricted (UR) license.

Serial Number:

Running Activation Key:

Configuration has not been modified since last system restart.

FW#

anandramapathy Wed, 06/13/2007 - 05:45

If you are using PDM, Match is preferred.

All configs / features done on PDM on primary should be visible on the secondary too. In such case it is very much reqd.

Installing PDM is not so difficult. Upload the same file as in primary to the new secondary.

vitripat Wed, 06/13/2007 - 08:08

Hi,

Matching PDM version is *not* required for failover to work.

How to make sure that new PIX becomes "Standby"?

1) A Secondary unit can have either UR or Failover-Only license.

2) In cable-based failover, the *end* of the serial cable marked as "secondary", should go into the Secondary/New firewall.

3) In Lan-based failover, you specifically configure the Secondary PIX to make declare itself as "Secondary" firewall.

Assuming that you have taken care of points mentioned above, and Primary PIX is running as Active PIX, when you bootup the new Secondary PIX, it will definately come up as Standby unit .. given that there are not hardware issues .. :-D

Hope that helps.

Regards,

Vibhor.

Actions

This Discussion