09-06-2005 11:00 AM - edited 02-21-2020 12:22 AM
Upgraded 6.3 to 7.0 on 515E, purchased FO license for another PIX 515E.
For some reason the Primary PIX wants active/active failover. I have not configured any contexts in the config, i assume it is on by default? This wont work with FO license, from what i have read- no biggie, but how do i change the active/active to active/standby...
I have a working config on the fw and everything else works fine.
The ASDM is about as much junk as the PDM- and it works whenever it desires... thought may be something in there? I cant find anything in CLI to change it- do i have to change it to multiple mode, and then switch it back to single? Is it license related- doubt it?
I have another FW, FO group setup running 6.3 and had no problems setting it up...
Ideas
09-06-2005 11:34 AM
You are correct FO license does not support active/active
You should look at:
It shows how to configure active/standby on PIX ver 7.0 for both failover and LAN Based failover. (it also shows active/active which you seem to have configured)
Pretty much it looks like for active/standby you don't use failover groups...
I've never used PDM or ASDM.. so no help there.
09-06-2005 11:54 AM
Agreed- been there, but i have not configured any groups - all that was done was added a standby IP for the interfaces, attached the cisco FO cable,
and enabled failover...
This is why I am confused- the FW is set as single mode, I have tried to force it to single mode- but it states this is the same mode it is using...
The connection on the FO cable for the secondary has "failed"- I am assuming this is correct due to the A/A issue?
I suppose i could rebuild the failover, but any ideas on why it is using A/A vs A/S...
09-06-2005 12:13 PM
weird,
so you don't have:
(config)#context
configured anywhere either?
So all you did was add:
(config-if)#ip address active_addr netmask standby standby_addr
I assume you are using stateful failover? You don't have an IP or name configued on the state-link interface right?
09-06-2005 12:19 PM
NOPE- unrecognizable command: for
(config)#context ?
09-06-2005 02:00 PM
OK- figured it out. First even my rep didnt realize this...
When i rebooted my FO pix, i noticed a boot error stating a 3DES mismatch.
"Mate's License (VPN-3DES-AES Enabled) is not compatible with my
license (VPN-3DES-AES Disabled) Failover will be disabled..."
So, i installed a new license for FO w/ 3DES and it took off, and is active/standby as expected. I guess the A/A is default, until it is negotiated...
Learn something everyday in this Biz...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide