https://community.cisco.com/t5/network-security/pix-7-0-failover-issue/m-p/466124#M533572 <HTML><HEAD></HEAD><BODY><P>weird,</P><P></P><P>so you don't have:</P><P>(config)#context <NAME></NAME></P><P>configured anywhere either?</P><P></P><P>So all you did was add:</P><P>(config-if)#ip address active_addr netmask standby standby_addr</P><P></P><P>I assume you are using stateful failover? You don't have an IP or name configued on the state-link interface right?</P><P></P></BODY></HTML> Tue, 06 Sep 2005 19:13:08 GMT Steven Bourque 2005-09-06T19:13:08Z https://community.cisco.com/t5/network-security/pix-7-0-failover-issue/m-p/466121#M533569 <P>Upgraded 6.3 to 7.0 on 515E, purchased FO license for another PIX 515E. </P><P></P><P>For some reason the Primary PIX wants active/active failover. I have not configured any contexts in the config, i assume it is on by default? This wont work with FO license, from what i have read- no biggie, but how do i change the active/active to active/standby...</P><P></P><P>I have a working config on the fw and everything else works fine.</P><P></P><P>The ASDM is about as much junk as the PDM- and it works whenever it desires... thought may be something in there? I cant find anything in CLI to change it- do i have to change it to multiple mode, and then switch it back to single? Is it license related- doubt it?</P><P></P><P>I have another FW, FO group setup running 6.3 and had no problems setting it up...</P><P></P><P>Ideas</P> Fri, 21 Feb 2020 08:22:29 GMT https://community.cisco.com/t5/network-security/pix-7-0-failover-issue/m-p/466121#M533569 bklawson 2020-02-21T08:22:29Z https://community.cisco.com/t5/network-security/pix-7-0-failover-issue/m-p/466122#M533570 <HTML><HEAD></HEAD><BODY><P>You are correct FO license does not support active/active</P><P></P><P>You should look at:</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/customer/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008045247e.html#wp1058096" target="_blank">http://www.cisco.com/en/US/customer/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008045247e.html#wp1058096</A></P><P></P><P>It shows how to configure active/standby on PIX ver 7.0 for both failover and LAN Based failover. (it also shows active/active which you seem to have configured)</P><P></P><P>Pretty much it looks like for active/standby you don't use failover groups...</P><P></P><P>I've never used PDM or ASDM.. so no help there.</P><P></P><P></P></BODY></HTML> Tue, 06 Sep 2005 18:34:01 GMT https://community.cisco.com/t5/network-security/pix-7-0-failover-issue/m-p/466122#M533570 Steven Bourque 2005-09-06T18:34:01Z https://community.cisco.com/t5/network-security/pix-7-0-failover-issue/m-p/466123#M533571 <HTML><HEAD></HEAD><BODY><P>Agreed- been there, but i have not configured any groups - all that was done was added a standby IP for the interfaces, attached the cisco FO cable, </P><P>and enabled failover...</P><P></P><P>This is why I am confused- the FW is set as single mode, I have tried to force it to single mode- but it states this is the same mode it is using...</P><P></P><P>The connection on the FO cable for the secondary has "failed"- I am assuming this is correct due to the A/A issue?</P><P></P><P></P><P>I suppose i could rebuild the failover, but any ideas on why it is using A/A vs A/S... </P></BODY></HTML> Tue, 06 Sep 2005 18:54:54 GMT https://community.cisco.com/t5/network-security/pix-7-0-failover-issue/m-p/466123#M533571 bklawson 2005-09-06T18:54:54Z https://community.cisco.com/t5/network-security/pix-7-0-failover-issue/m-p/466124#M533572 <HTML><HEAD></HEAD><BODY><P>weird,</P><P></P><P>so you don't have:</P><P>(config)#context <NAME></NAME></P><P>configured anywhere either?</P><P></P><P>So all you did was add:</P><P>(config-if)#ip address active_addr netmask standby standby_addr</P><P></P><P>I assume you are using stateful failover? You don't have an IP or name configued on the state-link interface right?</P><P></P></BODY></HTML> Tue, 06 Sep 2005 19:13:08 GMT https://community.cisco.com/t5/network-security/pix-7-0-failover-issue/m-p/466124#M533572 Steven Bourque 2005-09-06T19:13:08Z https://community.cisco.com/t5/network-security/pix-7-0-failover-issue/m-p/466125#M533573 <HTML><HEAD></HEAD><BODY><P>NOPE- unrecognizable command: for </P><P>(config)#context ?</P><P></P><P></P></BODY></HTML> Tue, 06 Sep 2005 19:19:00 GMT https://community.cisco.com/t5/network-security/pix-7-0-failover-issue/m-p/466125#M533573 bklawson 2005-09-06T19:19:00Z https://community.cisco.com/t5/network-security/pix-7-0-failover-issue/m-p/466126#M533574 <HTML><HEAD></HEAD><BODY><P>OK- figured it out. First even my rep didnt realize this...</P><P></P><P>When i rebooted my FO pix, i noticed a boot error stating a 3DES mismatch. </P><P></P><P>"Mate's License (VPN-3DES-AES Enabled) is not compatible with my </P><P>license (VPN-3DES-AES Disabled) Failover will be disabled..." </P><P></P><P>So, i installed a new license for FO w/ 3DES and it took off, and is active/standby as expected. I guess the A/A is default, until it is negotiated...</P><P></P><P>Learn something everyday in this Biz...</P><P></P><P></P><P></P><P> </P><P></P></BODY></HTML> Tue, 06 Sep 2005 21:00:28 GMT https://community.cisco.com/t5/network-security/pix-7-0-failover-issue/m-p/466126#M533574 bklawson 2005-09-06T21:00:28Z