Actually, I've wondered about this myself. On the PIX side of things, I don't think theres much that you can do. I'm not aware of a way to copy over the generated RSA keys from the Primary to the Secondary, or vice versa.
It all depends on your SSH client, I suppose. If you SSH to the PIX via a UN*X environment, you could remove the cached server key saved in your known_hosts file. Normally this is located under ~/.ssh/known_hosts.
If you use a Windows SSH client (or some other OS), you'll have to consult your clients documentation.
Normally there's an option you can give when starting up the SSH client to not strictly enforce host key checking, but by doing so it opens up a whole new can of worms..
"If you use a Windows SSH client ... " never!!! :-)
I can remove the ~/.ssh/known_hosts.
So let me see if I have this correct...
When I do a 'ca generate rsa key 1024' the failover pix will do this as well; generating its own key due to the fact that, when I pushed enter, the command was also sent over the failover cable to the secondary PIX unit?
When I do a 'ca save all' the secondary PIX will do the same but save the key that IT generated.
So I should still be able to log into the seconday pix once failed over, having to remove or edit the known_hosts file
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...