cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
341
Views
4
Helpful
4
Replies

PIX OS 7.x failover and VPN.

johnleeee
Level 1
Level 1

Hi all,

I want to configure on our PIX 525(PIX OS 7.x)failover. Throught serial cable and dedicated interface.

My question is:

We have IP addresses on inside, outside and DMZs. I assign on primary PIX other IP addresses (for secondary PIX).

What happens related to VPN when failover occures?

We use VPN to connect our users to our

primary IP address of PIX (on outside). And for primary PIX we have certificate issued.

I know that when we configure failover

than configuration will be replicated but we are confused about secondary IP address and maybe problems related to this. Should we allow VPN traffic throught our active devices on new IP

address as well?

BR.

jl

4 Replies 4

romason
Cisco Employee
Cisco Employee

The active IP should remain the same upon failover.

Also the certificate should replicate as well once installed on the active PIX and after issuing a wr mem.

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/config/failover.htm

Standby unit should not enroll its own certificate, at least for VPN failover purposes.

If active/standby do not have the same key/certificate, VPN tunnels cannot survive across failover.

When standby unit first join the active unit, all the keys on the standby unit will be erased and then re-populated by the active unit.

Not sure what 7.x code you are running but this bug may be of interest:

CSCse45327

Externally found moderate defect: Verified (V)

VPN stateful failover gets out of sync

HTH,

Chuck

Hi Chuck,

thats the problem. Iv configured a failover

with 7.0.4 PIX OS. But a certificate from primary PIX did not copy to secondary. How to resolve this kind of problem?

About the IP addresses: Why I need to configure secondary IP address when over there will be still in use primary IP address?

Thanks,

jl

The IP is how you reach each device. Upon a failover the IPs swap between the boxes but the MAC addresses remain the same.

If the cert is on the active, please enable the the following debug:

(config)# debug fover sync

While capturing the debug output from the "standby" box,

Issue a "wr standby" on the active and let me know what you get.

Thanks,

Chuck

Hi Chuck,

thanks a lot for the answer and help.

It was helpful for us. Config is the same now

and I see certificate on both devices.

But I dont know where the problem was because when I issued wr standby and I saw on standby PIX, the certificates were over there.

Thanks a lot.

jl

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: