- PIX failover question
PDA

View Full Version : PIX failover question

Paul C.
07-25-2004, 01:42 AM
We have one PIX 525 installed with an unrestricted license, and just
bought a second one with the failover bundle for redundancy. I've
read a bunch of stuff about how the hardware and software must be
totally identical for failover to work right. Everything is the same
except for one small thing I'm not sure about.

On the current active PIX:

# sh ver

Cisco PIX Firewall Version 6.3(3)
Cisco PIX Device Manager Version 3.0(1)

<snip>

Licensed Features:
Failover: Enabled
VPN-DES: Enabled
VPN-3DES-AES: Disabled

The failover PIX we just received is running the same OS, same
interfaces, etc; however, it's got something different on the
"VPN-3DES" entry:

# sh ver

<snip>

Licensed Features:
Failover: Enabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled


Also, the 2nd PIX shows some kind of crypto device entry that's not on
the primary one:

Encryption hardware device : Crypto5823 (revision 0x1)

Does that show up simply because the 2nd PIX has the 3DES activation
key?

We don't do any VPN on the PIX, it's just a firewall. Am I going to
have to make the activation keys be the same on both boxes before I
can do failover? Can't just test it out, since the first one is in an
active production environment.
Walter Roberson
07-25-2004, 01:42 AM
In article <7939c00e.0403150832.7971fa0d@posting.google.com>,
Paul C. <pablo_conn@hotmail.com> wrote:
:We have one PIX 525 installed with an unrestricted license, and just

:On the current active PIX:

:Cisco PIX Firewall Version 6.3(3)

:Licensed Features:
:Failover: Enabled
:VPN-DES: Enabled
:VPN-3DES-AES: Disabled

If you are in most countries in the world, you can apply for a free
upgrade to support 3DES/AES . There's a form you have to fill out
on one of Cisco's pages and they will send you a new license key.
(But to be honest, chances are that that new license key will have
3DES support but not Failover support, so at that point you'll
likely have to send email to licensing@cisco.com containing all the
details, and they'll do it properly.)


:Also, the 2nd PIX shows some kind of crypto device entry that's not on
:the primary one:

That's hardware. Did you upgrade your 525 from Restricted to
Unrestricted? The Unrestricted has a VPN card bundled in.
(I seem to remember reading that the price of upgrading the 525 from
Restricted to Unrestricted is supposed to include a VAC card, but
I'm not sure about that.)
--
Most Windows users will run any old attachment you send them, so if
you want to implicate someone you can just send them a Trojan
-- Adam Langley