PIX failover ssh access

scolombo · ‎07-06-2004

We have two pix515 in failover configuration and found that we can only access , via ssh , the "active" pix , and not the one in standby.

Is that normal ?

Thanks

ehirsel · ‎07-07-2004

You can access the standby via ssh, to do that you need to target the failover ip address. If you tried that already, you may need to regen the rsa key on the other unit - the keys are not shared between the two.

Let me know if you need more help.

scolombo · ‎07-07-2004

I tried to access it via the failover IP but couldn't.

How can I regenerate the key ?

thanks

joneschw1 · ‎07-07-2004

I was under the impression that you cannot access the "standby" pix in any manner other than console b/c it is in a failover scenario. Making a change on the standby would corrupt the failover. It seems that the only reason you would want to access the standby would be to upgrade the code. In this case, there is established procedures for turning one of, and then the other, etc.

scolombo · ‎07-07-2004

Why shouldn't I connect to the standby pix in a failover scenario ?

I wouldn't make any configuration change on it but I think I should have the possibility to connect to it ( ie for diagnostic )

ehirsel · ‎07-07-2004

To regen an rsa key use this command:

ca generate rsa key followed by ca save all to save it

In addition insure that you replicate the config from the active to the standby as the config tells the pix where the ssh session can come from (interface and ip address).

From the pix 6.3 command ref:

The ca generate rsa command generates RSA key pairs for your PIX Firewall. RSA keys are generated in pairs—one public RSA key and one private RSA key.

ca generate rsa key modulus

Syntax Description

ca generate rsa key

Generates an RSA key for the PIX Firewall.

modulus

Defines the modulus used to generate the RSA key. This is a size measured in bits. You can specify a modulus between 512, 768, 1024, and 2048.

--------------------------------------------------------------------------------

Note Before issuing this command, make sure your PIX Firewall host name and domain name have been configured (using the hostname and domain-name commands). If a domain name is not configured, the PIX Firewall uses a default domain of ciscopix.com.

--------------------------------------------------------------------------------

Defaults

RSA key modulus default (during PDM setup) is 768. The default domain is ciscopix.com.

Command Modes

Configuration mode.

Usage Guidelines

If your PIX Firewall already has RSA keys when you issue this command, you are warned and prompted to replace the existing keys with new keys.

--------------------------------------------------------------------------------

Note The larger the key modulus size you specify, the longer it takes to generate an RSA. We recommend a default value of 768.

--------------------------------------------------------------------------------

crojas · ‎07-07-2004

No, it's not normal.

Make sure the following conditions are met:

Your secondary pix has a route back to you.

It has a valid RSA key (most common problem) and make sure it's permanently saved.

Hope this helps!

crojas · ‎07-07-2004

A side note:

When the primary fails, the 2 units will swap their IP addresses around. If you try to SSH to the secondary, you will actually land on the primary because of that.

crojas · ‎07-07-2004

A side note:

When the primary fails, the 2 units will swap their IP addresses around. If you try to SSH to the secondary, you will actually land on the primary because of that.