I have two PIXs one in Active and other in Standby mode .I had face some problem in standby PIX ,due to which I want to change my Standby PIX. Kindly let me know what all steps should I keep in mind before going ahead to do this activity.
Those are PIX515 using 6.3(5) runnig in failover mode.
Here are the steps you need to perform-
1) Make sure the new PIX has exactly same hardware/software as current secondary PIX and it also has appropriate license to run as Secondary Firewall.
2) Make sure Primary PIX is running as "Active" Firewall and passing all traffic.
3) Perform "write erase" on the new PIX and reload. After reload, dont make any configuration changes if using cable-based failover and just issue "write memory" command.
If using Lan-based failover, perform necessary commands in order to establish this unit as Secondary unit. You can refer to following link for the same-
Once done, shut down the new PIX.
4) Shut down the current Secondary PIX and disconnect all the cables.
5) Connect New Secondary PIX.
6) Bootup the new PIX.
Once new PIX comes up, it should automatically detect a running Active Firewall and sync configuration from there.
Hope this helps.
For LAN-based failover, you must set up the Ethernet link in advance. You must also define each unit as a primary or secondary unit within the configuration (as opposed to cable-based failover, where the serial failover cable itself defines these roles).
The active unit sends the configuration in running memory to the standby unit. On the standby unit, the configuration exists only in running memory. You can optionally save the configuration to Flash memory using the write memory command. If you save the configuration to Flash memory, and you reboot the standby unit when the active unit is unavailable, the standby unit can become the active unit because it has a valid configuration.
Before replacing the current standby PIX with the New_PIX , i want to make sure that when i connect New_PIX with the already Acitve PIX the New_PIX goes into StandBy mode .
What licence do i have to check on this StandBy PIX.
Ensure the following is displayed when u do a show version
FW# sh ver
Cisco PIX Firewall Version 6.3(4)
Cisco PIX Device Manager Version 3.0(2)
Compiled on Fri 02-Jul-04 00:07 by morlee
FW up 284 days 5 hours
Hardware: PIX-515, 64 MB RAM, CPU Pentium 200 MHz
Flash i28F640J5 @ 0x300, 16MB
BIOS Flash AT29C257 @ 0xfffd8000, 32KB
0: ethernet0: address is 0003.6bf6.693a, irq 11
1: ethernet1: address is 0003.6bf6.693b, irq 10
2: ethernet2: address is 0003.476b.cc72, irq 9
3: ethernet3: address is 0003.476b.ce5f, irq 7
Maximum Physical Interfaces: 6
Maximum Interfaces: 10
Cut-through Proxy: Enabled
Inside Hosts: Unlimited
IKE peers: Unlimited
This PIX has an Unrestricted (UR) license.
Running Activation Key:
Configuration has not been modified since last system restart.
Thanks for that , one more question if you could help me on this.Does PDM version should also match ?
As on my Primary PIX , PDM is running 3.0(1)
and on my secondry PIX , PDM is running 2.0(2)
If you are using PDM, Match is preferred.
All configs / features done on PDM on primary should be visible on the secondary too. In such case it is very much reqd.
Installing PDM is not so difficult. Upload the same file as in primary to the new secondary.
Matching PDM version is *not* required for failover to work.
How to make sure that new PIX becomes "Standby"?
1) A Secondary unit can have either UR or Failover-Only license.
2) In cable-based failover, the *end* of the serial cable marked as "secondary", should go into the Secondary/New firewall.
3) In Lan-based failover, you specifically configure the Secondary PIX to make declare itself as "Secondary" firewall.
Assuming that you have taken care of points mentioned above, and Primary PIX is running as Active PIX, when you bootup the new Secondary PIX, it will definately come up as Standby unit .. given that there are not hardware issues .. :-D
Hope that helps.