What is the step by step procedure to replace Faiolver PIX 515E?

astanislaus · ‎08-30-2009

I am looking for step by step procedure to replace the Secondary PIX.

We have a Primary PIX 515E with UR ( unrestricted license ) and a Secondary PIX515E with FO ( Failover License ) both running code 6.3(1) with Serial Cable Failover.

The FO unit failed.

I placed and received a RMA unit with FO license. It came with version 6.3(5) and I wanted to downgrade this spare unit to 6.3(1) before I went and connected it to the Production Primary Unit, because both units have to run the same code.

So I setup teh spare PIX on teh bench with my Laptop.

I had hell of a trouble getting IP connectivity between my Laptop Ethernet Port and the spare PIX515E inside interface until someone helped me out.

I was asked to do a show failover and found that the unit is in standby.

Then I did failover followed by failover standby.

Then when I did show failover, it said active.

Then I could get IP connectivity and TFTP 6.3(1) code into this unit.

Now I want to connect the above spare to the production Primary PIX.

I presume I should be able to do this without having to shut the primary unit as explained in this link:

http://www.cisco.com/en/US/docs/security/pix/pix63/hw/installation/guide/515.html#wp1048874

It sounds crazy to me that the above link asks to turn OFF both PIX.

So, I plan to connect the spare to the production PIX (without truning OFF the production PIX) and I hope that the config from the Primary will AUTOMATICALLY sync to this spare unit.

OR

Do I have to do a command such as write standby

Are all these procedures documented clearly at any url.

sunsrini · ‎08-31-2009

FO unit cannot operate in standalone mode. Thats the reason you had issues in getting IP connectivity

The link you referred is for initial failover setup. To bring up secondary, you dont need to power off Primary. Make sure the serial cable (secondary end) is connected properly. However, I would recommend a backup config from the Primary pix before connecting secondary, just incase.

astanislaus · ‎08-31-2009

Srini,

Thanks.

We attached the FO unit to teh working Primary unit and all went well including config sync.

Initially teh Primary said OS mismatch although both were at 6.3(1) but then it all went well.

Do I now need to do any

write mem on FO unit

or

write standby on Primary unit

to store config in NVRAm of Fo unit.

sunsrini · ‎08-31-2009

Yes, you should "write standby" in primary , to save the config in secondary's nvram.

Or "write mem" in primary would do the same as well.

astanislaus · ‎08-31-2009

Srini,

Thanks

I will do

write stanby on Primary

Can you point me a link that explains on a step by step procedure on replacing FO unit or on replacing a unit that had unrestricted license and has failed?

sunsrini · ‎09-01-2009

I dont find a link that has specific procedure.Usually replacing FO unit is as simple as connecting to the failover cable. Incase primary failed, the secondary remains Active until another manual failover happens again. Effectively, the new unit after replacement will come as standby. However, if you are using LAN Based failover, there is little configuration needed in the secondary unit before establishing failover sync with primary. That config should be same as bringing up a new failover pair.

You might have seen this link, just attaching incase.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094ea7.shtml

The procedure should not be any different if the unit failed had unrestricted license. In case the new unit miss out individual feature license, you will have to reach licensing team.