Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

How to replace the secondary PIX Firewall in a failover environment

Resolution

Verify that the primary PIX Firewall is actually the active PIX for failover, by issuing the following command on the primary:

pixfirewall# configure terminal
pixfirewall (config t)# show failover

The output should look like the following:

Failover On

Cable status:Normal

Reconnect timeout 0:00:00

Poll frequency 15 seconds

failover replication http
                        
This host:Primary - Active
                                                      
Active time:30 (sec)

                                                      
Interface FailLink (172.16.31.2):Normal
                                                      
Interface 4th (172.16.16.1):Normal
                                                      
Interface int5 (192.168.168.1):Normal
                                                      
Interface intf2 (192.168.1.1):Normal
                                                      
Interface outside (209.165.200.225):Normal
                                                      
Interface inside (10.1.1.4):Normal
                      
Other host: Secondary - Standby
                                                     
Active  time:0 (sec)
                                                     
Interface FailLink  (172.16.31.1) : Normal

After you have confirmed that the primary PIX is actually the active PIX, remove the secondary PIX from the setup by shutting down the secondary unit. Make sure that the primary PIX is still active before physically removing the secondary PIX by issuing the show failover command again.

Once the old secondary unit has been removed, you will need to physically install the new secondary unit. The hardware and software for the new secondary PIX must match the primary unit. If these requirement are not met, the new primary PIX will not perform properly in a failover environment.

Once the new secondary PIX has been attached properly and is running, you will need the existing configuration on the new unit. This can be done through TFTP or entered manually. The entire configuration is not necessary at this time, but the interfaces must be set up properly and failover commands must be in place. Issue the show failover command again on the secondary unit. The above information from the previous show failover command will appear along with the following:

Other host: Secondary - Standby

Active  time:0 (sec)

Interface FailLink  (172.16.31.1) : Normal

This will verify that the secondary PIX is properly attached using failover.  Issue the copy standby command on the primary unit. This will copy the full configuration from the primary PIX to the new secondary PIX.

For more information about failover, refer to How Failover Works on the Cisco Secure PIX Firewall.

Problem Type

How to (General Information)

Product Family

Firewall - PIX 500 series

PIX Software Version

PIX version 4.2

PIX version 6.0

PIX version 4.3

PIX version 6.1

PIX version 4.4

PIX version 6.2

PIX version 5.0

PIX version 6.3

PIX version 5.1

PIX version 4.0

PIX version 5.2

PIX version 4.1

PIX version 5.3

PIX Model

515E

520

525

535

515

Features & Tasks

Failover

1003
Views
0
Helpful
0
Comments