cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1107
Views
0
Helpful
10
Replies

failover key in PIX

CSCO10905906
Level 1
Level 1

Hi,

Recently a audit point was raised by auditor, that the failover key is not enabled for the failover(PIX 515).

Please let me know how to enable the failover key between the PIX firewall without any downtime.

10 Replies 10

andrew.prince
Level 10
Level 10

Failover is a licensed feature - you probably have a restricted license. If you want to have fail over functionality - you need to purchase it.

However is sounds like you are not using fail over anyway - and the auditor is just pointing it out.

If you need it - you need to buy it and another PIX device to failover to.

HTH>

hi andrew,

The pix firewalls are already running on active-standby mode, but there is no failover key configured on the same.now the point is to set the failover key on the firewalls without any downtime.

thanks in advance.

Ahh sorry - are you saying that you are missing the failover shared secret key ??

Are the 2 devices in config sync?

Hi Andrew,

the firewalls are in sync and working fine in active-standby mode. the objective is to set the failover key for closure of the audit point without any downtime.

Well - if you configure the primary active firewall with the failover key, it will be replicated to the secondary and should not cause any interuption.

Just to be sure - perhaps configure it out of hours, just to be sure.

Export Certificate/Private Key in Failover Configuration

The primary device automatically replicates the private key/certificate to the secondary unit. Issue the command write memory in the active unit in order to replicate the configuration (which includes the certificate/private key) to the standby unit. All the keys/certificates on the standby unit are erased and repopulated by the active unit configuration.

Note: You must not manually import the certificates, keys, and trust points from the active device and then export to the standby device.

WARNING: Failover message decryption failure.

Error message:

Failover message decryption failure. Please make sure both units have the

same failover shared key and crypto license or system is not out of memory

This problem occurs due to failover key configuration. In order to resolve this issue, remove the failover key, and configure the new shared key.

well from what i have seen, unlike an ASA which uses just 1 licence for both pri and failover device, a pix uses 2 types of licence, a unrestricted and a failover one.

if the you enter the standby activation key in the primary device, why would the primary reflect this on the standby device, the activation key is one part which is not replicated, and the reason for this being that activation is NOT a part of the configs set.

Could you please clarify as i am still new into the world of networks and this is just something i have observed.

This post is actually refering to failover config - not licensing, my fault as that is what I first thought this was about.

I agree with some of what you say, however you can have a device with a restricted license - BUT contains failover functinonality.

You should not be able to put an unrestrcited feature activation key into an restricted device.

Do you have a specific issue that I or the Netpro forum can help with?

Saurabh Kishore
Level 1
Level 1

Hi,

If you are using a cable based failover you dont really need to configure a failover key on the security appliance.

failover key is only to encrypt all the communication between the failover devices. If failover key is not specified the communication between the failover devices happen in a clear text.

On the PIX security appliance platform, if you are using the dedicated serial failover cable to connect the units, then communication over the failover link is not encrypted even if a failover key is configured. The failover key only encrypts LAN-based failover communication.

For more information you can refer to the following link

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/ef.html#wp1927595

Do let me know if you have any further questions.

Thanks,

Hi sakishor,

Cureently the firewall are running on the lan based cable failover, there is no failover key set for the same. now i have set the same without any downtime...

thanks in advance.

Review Cisco Networking for a $25 gift card