Re: Failover software license

r-remien · ‎09-22-2002

Since there are not any differences in RAM or interface limits betwen an unrestricted and a failover license, how do you know if you have a failover license running on a Pix?

Thanks,

RJ

r-remien · ‎09-26-2002

Is it that it will not pass traffic without another UR Pix? Can you tell by the activation key?

Thanks,

RJ

steve.barlow · ‎09-26-2002

Do a show version and see licensed features:

pixfirewall# sh ver

Cisco PIX Firewall Version 6.2(1)

Cisco PIX Device Manager Version 2.0(2)

Compiled on Wed 17-Apr-02 21:18 by morlee

pixfirewall up 98 days 2 hours

Hardware: PIX-525, 128 MB RAM, CPU Pentium III 600 MHz

Flash E28F128J3 @ 0x300, 16MB

BIOS Flash AM29F400B @ 0xfffd8000, 32KB

Encryption hardware device : IRE2141 with 2048KB, HW:1.0, CGXROM:1.9, FW:6.5

0: ethernet0: address is 0007.0ee6.7cfe, irq 10

1: ethernet1: address is 0007.0ee6.7cff, irq 11

2: ethernet2: address is 00e0.b604.80d9, irq 11

3: ethernet3: address is 00e0.b604.80d8, irq 10

4: ethernet4: address is 00e0.b604.80d7, irq 9

5: ethernet5: address is 00e0.b604.80d6, irq 5

Licensed Features:

Failover: Enabled

VPN-DES: Enabled

VPN-3DES: Enabled

Maximum Interfaces: 8

Cut-through Proxy: Enabled

Guards: Enabled

URL-filtering: Enabled

Inside Hosts: Unlimited

Throughput: Unlimited

IKE peers: Unlimited

Serial Number: xxxxxxxxxx

Running Activation Key: xxxx

Configuration last modified by xxxxx

Hope it helps

Steve

r-remien · ‎09-27-2002

This is the same output as my unrestricted firewall. The failover license is enabled.

1. What is the difference in the failover vs unrestricted "sh ver"?

2. Also, will a standalone Pix with a failover license pass traffic? Is there something in the license that looks for another Pix?

Thanks,

RJ

steve.barlow · ‎09-27-2002

1. In a failover model, one of the failover units must have an Unrestricted license (UR - means can have more interfaces than restricted and can have failover), while the other can have a Failover (FO) or UR license. Restricted units cannot be used for failover and two units with FO licenses cannot be used in a single failover pair. The PIX 515, PIX 515E, PIX 525, and PIX 535 can be used for failover if you have the optional Unrestricted license.

In 6.2 to see the license enter show activation-key.

2. Having a standalone PIX with a FO license probably pass traffic, you need a

restricted or UR license. FO can only be used with failover (ie another UR licensed pix). Don't quote me on this but I believe the FO pix, when it becomes active after the primary does down, uses (same way it knows the config of the active pix) the UR license of the UR active pix to enable it to pass traffic.

Steve

steve.barlow · ‎09-27-2002

In number 2 - "Having a standalone PIX with a FO license probably pass traffic, you need a restricted or UR license" - I hope is understood to me no, a standalone needs a restricted or UR license.

Typing issues:)

Steve

r-remien · ‎09-27-2002

OK, I understand your points and they make sense. I guess I am not sure my initial question has been clearly answered. - How can I tell if I have a FO license? 3 possibilities?

1. Sh ver - what identifies it?

2. Serial number? Any part of it identifies it?

3. Purchasing a FO license and knowing it has to be in a redundant pair?

Sorry to belabor this point, I just want to make sure I know what to look for.

Thanks,

RJ