cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
691
Views
0
Helpful
5
Replies

Pix 7.0 failover issue

bklawson
Level 1
Level 1

Upgraded 6.3 to 7.0 on 515E, purchased FO license for another PIX 515E.

For some reason the Primary PIX wants active/active failover. I have not configured any contexts in the config, i assume it is on by default? This wont work with FO license, from what i have read- no biggie, but how do i change the active/active to active/standby...

I have a working config on the fw and everything else works fine.

The ASDM is about as much junk as the PDM- and it works whenever it desires... thought may be something in there? I cant find anything in CLI to change it- do i have to change it to multiple mode, and then switch it back to single? Is it license related- doubt it?

I have another FW, FO group setup running 6.3 and had no problems setting it up...

Ideas

5 Replies 5

Steven Bourque
Level 1
Level 1

You are correct FO license does not support active/active

You should look at:

http://www.cisco.com/en/US/customer/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008045247e.html#wp1058096

It shows how to configure active/standby on PIX ver 7.0 for both failover and LAN Based failover. (it also shows active/active which you seem to have configured)

Pretty much it looks like for active/standby you don't use failover groups...

I've never used PDM or ASDM.. so no help there.

Agreed- been there, but i have not configured any groups - all that was done was added a standby IP for the interfaces, attached the cisco FO cable,

and enabled failover...

This is why I am confused- the FW is set as single mode, I have tried to force it to single mode- but it states this is the same mode it is using...

The connection on the FO cable for the secondary has "failed"- I am assuming this is correct due to the A/A issue?

I suppose i could rebuild the failover, but any ideas on why it is using A/A vs A/S...

weird,

so you don't have:

(config)#context

configured anywhere either?

So all you did was add:

(config-if)#ip address active_addr netmask standby standby_addr

I assume you are using stateful failover? You don't have an IP or name configued on the state-link interface right?

NOPE- unrecognizable command: for

(config)#context ?

OK- figured it out. First even my rep didnt realize this...

When i rebooted my FO pix, i noticed a boot error stating a 3DES mismatch.

"Mate's License (VPN-3DES-AES Enabled) is not compatible with my

license (VPN-3DES-AES Disabled) Failover will be disabled..."

So, i installed a new license for FO w/ 3DES and it took off, and is active/standby as expected. I guess the A/A is default, until it is negotiated...

Learn something everyday in this Biz...

Review Cisco Networking for a $25 gift card