pix 525 failover

mrembetsy · ‎08-04-2004

Starting a new project of getting two pix's into a LAN failover. Been reading all the documentation but I have one quick question if anyone can shed some light on the subject. The documentation keeps pointing out, that a vlan on a switch is recommended, no problem. It also keeps pointing out that the hardware has to be the same (it is) and the software on both pix's.

This is my question, obviously having UR FOS on both pix's but what is 1 pix has 3DES license and the other doesn't? Is this going to prevent it from potentially failover correctly. I would assume yes, and a need to purchase an additional 3DES license for the other pix, correct?

Thanks

scoclayton · ‎08-05-2004

Failover itself will work fine in the situation you describe above. The only problem you will see is after a failover occurs, you will not be able to use 3DES to encrypt VPN tunnels (or something along these lines) due to the 2nd PIX not having a 3DES license. However, with that said, there really is no reason to *not* have a 3DES license on both PIX's as the license is now free. You can register to receive a new license for the 2nd PIX at the following url:

http://www.cisco.com/kobayashi/sw-center/ciscosecure/pix.shtml

(Just click on the "*Free* Register for a 3DES/AES IPSec Software Feature Key" link)

Hope this helps.

Scott

bvanniekerk · ‎08-06-2004

Hi

If you have an UR licence on one, you only need a fail-over licence on the other. Both need not run a UR licence. Or go through the motion of upgrading your image. The hardware and software image, if I am not mistaken, needs to be identical.

Hope you get sorted.