Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Pix failover SSH key


Is there a workaround with regards to being unable to SSH to the secondary pix firewall once having failed over?




Community Member

Re: Pix failover SSH key

Hi Paul,

Actually, I've wondered about this myself. On the PIX side of things, I don't think theres much that you can do. I'm not aware of a way to copy over the generated RSA keys from the Primary to the Secondary, or vice versa.

It all depends on your SSH client, I suppose. If you SSH to the PIX via a UN*X environment, you could remove the cached server key saved in your known_hosts file. Normally this is located under ~/.ssh/known_hosts.

If you use a Windows SSH client (or some other OS), you'll have to consult your clients documentation.

Normally there's an option you can give when starting up the SSH client to not strictly enforce host key checking, but by doing so it opens up a whole new can of worms..



Community Member

Re: Pix failover SSH key

"If you use a Windows SSH client ... " never!!! :-)

I can remove the ~/.ssh/known_hosts.

So let me see if I have this correct...

When I do a 'ca generate rsa key 1024' the failover pix will do this as well; generating its own key due to the fact that, when I pushed enter, the command was also sent over the failover cable to the secondary PIX unit?


When I do a 'ca save all' the secondary PIX will do the same but save the key that IT generated.

So I should still be able to log into the seconday pix once failed over, having to remove or edit the known_hosts file

Community Member

Re: Pix failover SSH key

Correct. I have to do the same process with mine.. It's a bit of a pain, but hopefully your PIX's don't fail often enough that your always editing the known_hosts file ;-)

CreatePlease to create content