Before you even start connecting two PIXs together for failover operation, i was told that the activation key is what distinguishes a primary pix from a secondary. Is this true? Aren't firewalls independent from each other meaning that a firewall can either serve as primary or secondary?
If the above statement is true, then the failover cable needs to strictly be connected where the Primary end connects to the Primary enabled PIX and the secondary connects to the Secondary enabled PIX.
If PIX FW's are strictly tagged as Primary or Secondary based on their Activation Key, how can we tell the difference? Is there any show command that display the characteristic of the PIX FW?
I beleive you are talking about PIX Failover licence, here's a quick explanation -
The failover licence is necessary if you wish to connect two PIXs together and perform either non-stateful or stateful failover. If you do not currently have a licence for failover, and wish to add it for your PIXs, it is a simple matter of paying Cisco the necessary money, and Cisco will then give you a key that you can use to unlock the failover feature.
A limited licence is typically indicated by the letter R in the software licence. A limited licence indicates that you have not purchased all the features for you PIX. However, if your licence is indicated by the letters UR, this indicates that you have an unrestricted licence and thus have access to ALL of the features of your PIX, such as, Encryption, Failover, and Connections.
Actually we have UR licences for each. We've been running failover for quite some time now, but our original PIXs have a cisco field notice appended to their serial number (timing bug). I had to replace them so I ordered RMA replacement PIXs. I was given two new activation codes to input into the the RMA fw's.
The problem was the activation codes from cisco was not labled as primary or secondary. That was when i questioned about the properties of activation codes.
(Whether activation codes were specified for ONLY Primary or ONLY secondary pix functionality)
I've since emailed the cisco tac engineer who gave me the codes and she pointed out which activation code was for Primary use and which one was for secondary use.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...