02-05-2008 06:02 AM - edited 03-11-2019 04:59 AM
I have 2 PIX 535 firewalls that operate in a LAN-based failover scenario, in Active/Standby roles. The licenses running on them are Unrestricted, on the primary unit, and Failover Only-Active/Standby, on the secondary unit.
I tried to upgrade our dmz interface from a 100Mbps Ethernet card to a Gigabit Ethernet card. On inserting the GigE card, I moved the configuration from the Ethernet card to the GigE card, and then shut down the Ethernet card.
This was down on both PIX 535s.
Result was, we couldnt ping to either PIX, and from either PIX we couldnt ping to anywhere at all.
The interfaces showed they were "up,up", but on running "sh version" all interfaces were showing they were in "Normal" apart from the Inside intf which should "No Link (Waiting)"
We later rolled everything back and on inserting the blanking plate and powering up, everything returned to normal.
It turns out that what we thought was a blanking plate was the VAC+ card that we had removed.
How is removing it, and placing a GigE card instead, related to the results we were getting ?
Is the licensing anything to do with it as well.
Help, cant find answers anywhere
02-11-2008 07:49 AM
If you remove the pix interface all the lines in the configuration that included the interface will go away. Try these steps to replace the card. Backup your configuration. Make note of the line that refers to DMZ interface. add the nameif command toassociate the new interface with the name "dmz" and paste back in the commands that were removed.
02-12-2008 01:39 PM
slot 0-4 is reserved for 66Mhz GE card..hope you had inserted the card in that slot ?
Does the "show interface" suggests up and up.?
were you able to ping the interfaces from the firewall itself ?
02-13-2008 01:29 AM
Part of the problem - possibly - was that we removed a VAC+ card and replaced it with teh GigE card in slot 0, as we didnt have any other 64bit/66MHz slots to use.
The show interface showed all interfaces were up,up, but couldnt ping to them or from the PIX to anywhere else.
We have since rolled back, and intend to attempt the upgrade again - this time we'll move the VAC+ card to a 33MHz slot, since we dont even use the PIX for any VPN terminations. Then we'll place the GigE card in the only 66MHz slot available, that the VAC+ card currently occupies.
02-13-2008 06:45 AM
sure..let me know how it goees..
02-26-2009 04:26 AM
We have a similar problem.
Trying to add 6th physical interface.
If we have license for 10 interfaces, does this mean 5 on primary and 5 on secondary makeup a total of 10 interfaces?
see below for show version
regards
SS
fireing-2a# sh ver
Cisco PIX Firewall Version 6.3(3)
Compiled on Wed 13-Aug-03 13:55 by morlee
fireing-2a up 126 days 23 hours
Hardware: PIX-535, 1024 MB RAM, CPU Pentium III 1000 MHz
Flash i28F640J5 @ 0x300, 16MB
BIOS Flash DA28F320J5 @ 0xfffd8000, 128KB
Encryption hardware device : Crypto5823 (revision 0x1)
0: gb-ethernet0: address is 0003.47e1.27db, irq 255
1: gb-ethernet1: address is 0003.47e1.285c, irq 255
2: gb-ethernet2: address is 0003.47e1.2836, irq 255
3: gb-ethernet3: address is 000e.0ca1.7f35, irq 12
4: ethernet0: address is 0002.b397.2ec9, irq 12
5: ethernet1: address is 0002.b397.2a68, irq 255
Licensed Features:
Failover: Enabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
Maximum Physical Interfaces: 10 ==============(does this mean 5 in primary and 5 in secondary?)
Maximum Interfaces: 24
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: Unlimited
Throughput: Unlimited
IKE peers: Unlimited
This PIX has a Failover Only (FO) license.
Serial Number: 406110963 (0x1834c2f3)
Running Activation Key: 0x53b4a429 0xdfdc4819 0x4e69eeb0 0xc3d80204
Configuration last modified by amarn at 12:56:26.051 GMT/BST Thu Feb 26 2009
03-02-2009 09:15 AM
We do not have a similar issue.
The last comment I posted is not correct.
Actually we do not have a similar problem and not related to license. plese ignore the comment above.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: