Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

How to replace the primary PIX Firewall in a failover environment

Resolution

It is important that the secondary unit is running a current version of the configuration that exists on the primary PIX Firewall. Issue the following command on the primary, if possible, to copy the current configuration to the standby unit:

pixfirewall# configure terminal
pixfirewall (config t)# copy standby

The configuration will be copied over to the standby unit. Once this is completed, remove the primary PIX from the setup by shutting down the primary unit. Make sure that the secondary PIX has taken over before physically removing the primary PIX. This can done by issuing the following command on the secondary unit:

secondarypix# configure terminal

secondarypix (config t)# show failover

The output should look like the following:

pixfirewall (config)# show failover

Failover On

Cable status:Normal

Reconnect timeout 0:00:00

Poll frequency 15 seconds

failover replication http

This host:Secondary - Active

Active time:30 (sec)

Interface FailLink (172.16.31.2):Normal

Interface 4th (172.16.16.1):Normal

Interface int5 (192.168.168.1):Normal

Interface intf2 (192.168.1.1):Normal

Interface outside (209.165.200.225):Normal

Interface inside (10.1.1.4):Normal

At this point, the secondary PIX should show up as active in the above command output. Now it is possible to safely remove the primary PIX physically.

Note: If the secondary unit is not active at this point, troubleshooting will be necessary.

Once the old primary unit has been removed, you will need to physically install the new primary unit. The hardware and software must match the secondary unit. Be sure that the new primary PIX is running the same PIX operating system version and has the same hardware configuration as the secondary. If these requirement are not met, the new primary PIX will not perform properly in a failover environment.

Once the new primary PIX has been attached properly and is running, you will need the existing configuration on the new unit. This can be done through TFTP or entered manually. The entire configuration is not necessary at this time, but the interfaces must be set up properly and failover commands must be in place. Issue the show failover command again on the secondary unit. The above information from the previous show failover command will appear along with the following:

Other host: Secondary - Standby

Active  time:0 (sec)

Interface FailLink  (172.16.31.2) : Normal

This will verify that the primary PIX is properly attached using failover. Issue the copy standby command on the secondary unit. This will copy the full configuration from the secondary PIX to the new primary PIX.

Issue the failover active command on the primary PIX so that it will resume the active role for the failover connection. Issue the show active command on the new primary to make sure that it is identified as the primary failover device. On the new primary PIX, issue the write memory command to save the configuration to memory.

For more information about failover, refer to How Failover Works on the Cisco Secure PIX Firewall.

Problem Type

How to (General Information)

Product Family

Firewall - PIX 500 series

PIX Software Version

PIX version 4.2

PIX version 6.0

PIX version 4.3

PIX version 6.1

PIX version 4.4

PIX version 6.2

PIX version 5.0

PIX version 6.3

PIX version 5.1

PIX version 4.0

PIX version 5.2

PIX version 4.1

PIX version 5.3

PIX Model

520

525

535

515

515E

Features & Tasks

Failover

Version history
Revision #:
1 of 1
Last update:
‎06-18-2009 03:49 PM
Updated by:
 
Labels (1)
Everyone's tags (4)