×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Failover PIX VPN certificate replication (SCEP)

Answered Question
Nov 10th, 2010
User Badges:

Hi,


Got a pair of PIX 525's on version 6.3(4)  running in active/failover mode, I have recently configured VPN's  authenticated by certificates, which involved the use of SCEP in order  to get the certificate on to the PIX. The certificates were imported to  the PIX from a Windows CA server with SCEP add-in using the instructions  described here:  http://www.ciscosystems.com/en/US/docs/security/pix/pix63/configuration/guide/sit2site.html#wp1007263  .


All of this is working fine, the configuration was  saved, the certificates where saved using 'ca save all', everything is  working fine except the certificates that were imported have not been  replicated to the failover PIX - the command 'show ca certificate', does  not show any certs.


The private keys shown by 'sh ca mypubkey rsa' are the same on both devices.


I'm  not able to find any documentation regarding how the certificates  should be replicated to the failover PIX, and it is not possible to  enroll the certificates again on the failover PIX using the commands  they have initially been imported by:


pix-fw# conf t
**** WARNING ***
         Configuration Replication is NOT performed from Standby unit to Active unit.
         Configurations are no longer synchronized.


pix-fw(config)# ca auth ca
**** WARNING ***
         Configuration Replication is NOT performed from Standby unit to Active unit.
         Configurations are no longer synchronized.


Has anyone else experienced similar issue or how to get failover PIX with new ca certificates?


Regards,

Sarunas

Correct Answer by Herbert Baerten about 6 years 9 months ago

Hi Sarunas


Pix 6 indeed does not sync the keys and certificate automatically.

However you should be able to acomplish this by first forcing a failover (i.e. making the secondary active), then enrolling the (now active) secondary with the CA.


hth

Herbert

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Herbert Baerten Tue, 11/16/2010 - 01:42
User Badges:
  • Cisco Employee,

Hi Sarunas


Pix 6 indeed does not sync the keys and certificate automatically.

However you should be able to acomplish this by first forcing a failover (i.e. making the secondary active), then enrolling the (now active) secondary with the CA.


hth

Herbert

sarunas_vance Mon, 11/22/2010 - 01:23
User Badges:

Hi Herbert,


I have successfully enrolled the certificates on the secondary PIX after I triggered a manual failover.

Thanks for your help!


Sarunas

Actions

This Discussion