Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

failover key in PIX

Hi,

Recently a audit point was raised by auditor, that the failover key is not enabled for the failover(PIX 515).

Please let me know how to enable the failover key between the PIX firewall without any downtime.

10 REPLIES

Re: failover key in PIX

Failover is a licensed feature - you probably have a restricted license. If you want to have fail over functionality - you need to purchase it.

However is sounds like you are not using fail over anyway - and the auditor is just pointing it out.

If you need it - you need to buy it and another PIX device to failover to.

HTH>

New Member

Re: failover key in PIX

hi andrew,

The pix firewalls are already running on active-standby mode, but there is no failover key configured on the same.now the point is to set the failover key on the firewalls without any downtime.

thanks in advance.

Re: failover key in PIX

Ahh sorry - are you saying that you are missing the failover shared secret key ??

Are the 2 devices in config sync?

New Member

Re: failover key in PIX

Hi Andrew,

the firewalls are in sync and working fine in active-standby mode. the objective is to set the failover key for closure of the audit point without any downtime.

Re: failover key in PIX

Well - if you configure the primary active firewall with the failover key, it will be replicated to the secondary and should not cause any interuption.

Just to be sure - perhaps configure it out of hours, just to be sure.

Re: failover key in PIX

Export Certificate/Private Key in Failover Configuration

The primary device automatically replicates the private key/certificate to the secondary unit. Issue the command write memory in the active unit in order to replicate the configuration (which includes the certificate/private key) to the standby unit. All the keys/certificates on the standby unit are erased and repopulated by the active unit configuration.

Note: You must not manually import the certificates, keys, and trust points from the active device and then export to the standby device.

WARNING: Failover message decryption failure.

Error message:

Failover message decryption failure. Please make sure both units have the

same failover shared key and crypto license or system is not out of memory

This problem occurs due to failover key configuration. In order to resolve this issue, remove the failover key, and configure the new shared key.

New Member

Re: failover key in PIX

well from what i have seen, unlike an ASA which uses just 1 licence for both pri and failover device, a pix uses 2 types of licence, a unrestricted and a failover one.

if the you enter the standby activation key in the primary device, why would the primary reflect this on the standby device, the activation key is one part which is not replicated, and the reason for this being that activation is NOT a part of the configs set.

Could you please clarify as i am still new into the world of networks and this is just something i have observed.

Re: failover key in PIX

This post is actually refering to failover config - not licensing, my fault as that is what I first thought this was about.

I agree with some of what you say, however you can have a device with a restricted license - BUT contains failover functinonality.

You should not be able to put an unrestrcited feature activation key into an restricted device.

Do you have a specific issue that I or the Netpro forum can help with?

New Member

Re: failover key in PIX

Hi,

If you are using a cable based failover you dont really need to configure a failover key on the security appliance.

failover key is only to encrypt all the communication between the failover devices. If failover key is not specified the communication between the failover devices happen in a clear text.

On the PIX security appliance platform, if you are using the dedicated serial failover cable to connect the units, then communication over the failover link is not encrypted even if a failover key is configured. The failover key only encrypts LAN-based failover communication.

For more information you can refer to the following link

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/ef.html#wp1927595

Do let me know if you have any further questions.

Thanks,

New Member

Re: failover key in PIX

Hi sakishor,

Cureently the firewall are running on the lan based cable failover, there is no failover key set for the same. now i have set the same without any downtime...

thanks in advance.

315
Views
0
Helpful
10
Replies