Hi Vibhor,

How can i make sure that this new PIX will work in Standby mode only and not in primary mode ?

regards

Neo

For LAN-based failover, you must set up the Ethernet link in advance. You must also define each unit as a primary or secondary unit within the configuration (as opposed to cable-based failover, where the serial failover cable itself defines these roles).

The active unit sends the configuration in running memory to the standby unit. On the standby unit, the configuration exists only in running memory. You can optionally save the configuration to Flash memory using the write memory command. If you save the configuration to Flash memory, and you reboot the standby unit when the active unit is unavailable, the standby unit can become the active unit because it has a valid configuration.

Hi Anand,

Before replacing the current standby PIX with the New_PIX , i want to make sure that when i connect New_PIX with the already Acitve PIX the New_PIX goes into StandBy mode .

What licence do i have to check on this StandBy PIX.

regards

Neo

Ensure the following is displayed when u do a show version

Licensed Features:

Failover: Enabled

FW# sh ver

Cisco PIX Firewall Version 6.3(4)

Cisco PIX Device Manager Version 3.0(2)

Compiled on Fri 02-Jul-04 00:07 by morlee

FW up 284 days 5 hours

Hardware: PIX-515, 64 MB RAM, CPU Pentium 200 MHz

Flash i28F640J5 @ 0x300, 16MB

BIOS Flash AT29C257 @ 0xfffd8000, 32KB

0: ethernet0: address is 0003.6bf6.693a, irq 11

1: ethernet1: address is 0003.6bf6.693b, irq 10

2: ethernet2: address is 0003.476b.cc72, irq 9

3: ethernet3: address is 0003.476b.ce5f, irq 7

Licensed Features:

Failover: Enabled

VPN-DES: Enabled

VPN-3DES-AES: Enabled

Maximum Physical Interfaces: 6

Maximum Interfaces: 10

Cut-through Proxy: Enabled

Guards: Enabled

URL-filtering: Enabled

Inside Hosts: Unlimited

Throughput: Unlimited

IKE peers: Unlimited

This PIX has an Unrestricted (UR) license.

Serial Number:

Running Activation Key:

Configuration has not been modified since last system restart.

FW#

Hi Anand,

Thanks for that , one more question if you could help me on this.Does PDM version should also match ?

As on my Primary PIX , PDM is running 3.0(1)

and on my secondry PIX , PDM is running 2.0(2)

regards

Neo

If you are using PDM, Match is preferred.

All configs / features done on PDM on primary should be visible on the secondary too. In such case it is very much reqd.

Installing PDM is not so difficult. Upload the same file as in primary to the new secondary.

Hi,

I am not using the feature PDM in PIX, does it still matter ?

regards

Neo

Hi,

Matching PDM version is *not* required for failover to work.

How to make sure that new PIX becomes "Standby"?

1) A Secondary unit can have either UR or Failover-Only license.

2) In cable-based failover, the *end* of the serial cable marked as "secondary", should go into the Secondary/New firewall.

3) In Lan-based failover, you specifically configure the Secondary PIX to make declare itself as "Secondary" firewall.

Assuming that you have taken care of points mentioned above, and Primary PIX is running as Active PIX, when you bootup the new Secondary PIX, it will definately come up as Standby unit .. given that there are not hardware issues .. :-D

Hope that helps.

Regards,

Vibhor.

Hi Vibhor,

will there be any problem if UR license is running on both Active/Standby PIX.

regards

Neo

Hi Neo,

There wont be any issues if both firewalls have UR license.

Regards,

Vibhor.