Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Failover PIX VPN certificate replication (SCEP)

Hi,

Got a pair of PIX 525's on version 6.3(4)  running in active/failover mode, I have recently configured VPN's  authenticated by certificates, which involved the use of SCEP in order  to get the certificate on to the PIX. The certificates were imported to  the PIX from a Windows CA server with SCEP add-in using the instructions  described here:  http://www.ciscosystems.com/en/US/docs/security/pix/pix63/configuration/guide/sit2site.html#wp1007263  .

All of this is working fine, the configuration was  saved, the certificates where saved using 'ca save all', everything is  working fine except the certificates that were imported have not been  replicated to the failover PIX - the command 'show ca certificate', does  not show any certs.

The private keys shown by 'sh ca mypubkey rsa' are the same on both devices.

I'm  not able to find any documentation regarding how the certificates  should be replicated to the failover PIX, and it is not possible to  enroll the certificates again on the failover PIX using the commands  they have initially been imported by:

pix-fw# conf t
**** WARNING ***
         Configuration Replication is NOT performed from Standby unit to Active unit.
         Configurations are no longer synchronized.

pix-fw(config)# ca auth ca
**** WARNING ***
         Configuration Replication is NOT performed from Standby unit to Active unit.
         Configurations are no longer synchronized.

Has anyone else experienced similar issue or how to get failover PIX with new ca certificates?

Regards,

Sarunas

Everyone's tags (6)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Failover PIX VPN certificate replication (SCEP)

Hi Sarunas

Pix 6 indeed does not sync the keys and certificate automatically.

However you should be able to acomplish this by first forcing a failover (i.e. making the secondary active), then enrolling the (now active) secondary with the CA.

hth

Herbert

2 REPLIES
Cisco Employee

Re: Failover PIX VPN certificate replication (SCEP)

Hi Sarunas

Pix 6 indeed does not sync the keys and certificate automatically.

However you should be able to acomplish this by first forcing a failover (i.e. making the secondary active), then enrolling the (now active) secondary with the CA.

hth

Herbert

Community Member

Re: Failover PIX VPN certificate replication (SCEP)

Hi Herbert,

I have successfully enrolled the certificates on the secondary PIX after I triggered a manual failover.

Thanks for your help!

Sarunas

548
Views
0
Helpful
2
Replies
CreatePlease to create content