failover key in PIX

Unanswered Question
Oct 5th, 2009
User Badges:


Recently a audit point was raised by auditor, that the failover key is not enabled for the failover(PIX 515).

Please let me know how to enable the failover key between the PIX firewall without any downtime.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)

Failover is a licensed feature - you probably have a restricted license. If you want to have fail over functionality - you need to purchase it.

However is sounds like you are not using fail over anyway - and the auditor is just pointing it out.

If you need it - you need to buy it and another PIX device to failover to.


Naveen kumar Tue, 10/06/2009 - 01:43
User Badges:

hi andrew,

The pix firewalls are already running on active-standby mode, but there is no failover key configured on the the point is to set the failover key on the firewalls without any downtime.

thanks in advance.

Naveen kumar Tue, 10/06/2009 - 01:59
User Badges:

Hi Andrew,

the firewalls are in sync and working fine in active-standby mode. the objective is to set the failover key for closure of the audit point without any downtime.

Export Certificate/Private Key in Failover Configuration

The primary device automatically replicates the private key/certificate to the secondary unit. Issue the command write memory in the active unit in order to replicate the configuration (which includes the certificate/private key) to the standby unit. All the keys/certificates on the standby unit are erased and repopulated by the active unit configuration.

Note: You must not manually import the certificates, keys, and trust points from the active device and then export to the standby device.

WARNING: Failover message decryption failure.

Error message:

Failover message decryption failure. Please make sure both units have the

same failover shared key and crypto license or system is not out of memory

This problem occurs due to failover key configuration. In order to resolve this issue, remove the failover key, and configure the new shared key.

uzair syed naveed Tue, 10/06/2009 - 03:47
User Badges:

well from what i have seen, unlike an ASA which uses just 1 licence for both pri and failover device, a pix uses 2 types of licence, a unrestricted and a failover one.

if the you enter the standby activation key in the primary device, why would the primary reflect this on the standby device, the activation key is one part which is not replicated, and the reason for this being that activation is NOT a part of the configs set.

Could you please clarify as i am still new into the world of networks and this is just something i have observed.

This post is actually refering to failover config - not licensing, my fault as that is what I first thought this was about.

I agree with some of what you say, however you can have a device with a restricted license - BUT contains failover functinonality.

You should not be able to put an unrestrcited feature activation key into an restricted device.

Do you have a specific issue that I or the Netpro forum can help with?

Saurabh Kishore Tue, 10/06/2009 - 16:56
User Badges:


If you are using a cable based failover you dont really need to configure a failover key on the security appliance.

failover key is only to encrypt all the communication between the failover devices. If failover key is not specified the communication between the failover devices happen in a clear text.

On the PIX security appliance platform, if you are using the dedicated serial failover cable to connect the units, then communication over the failover link is not encrypted even if a failover key is configured. The failover key only encrypts LAN-based failover communication.

For more information you can refer to the following link

Do let me know if you have any further questions.


Naveen kumar Tue, 10/06/2009 - 20:37
User Badges:

Hi sakishor,

Cureently the firewall are running on the lan based cable failover, there is no failover key set for the same. now i have set the same without any downtime...

thanks in advance.


This Discussion