Re: PIX Failover

ccoutts · ‎05-23-2005

Hi,

Can someone help with what the correct steps are for replacing a primary PIX firewall unit. Here are the steps I followed, but it did not quite go to plan:

Replacement of PIX Primary Unit:

1. I forced the standby to become active by issuing the "failover active" command on the standby firewall, before commencing work.

2. We installed the replacement unit, powered it up (of course at this stage it did not have any configuration).

3. Keeping the primary unit turned on, I then connected the failover serial cable and expected the the config to be copied from the current active unit (standby unit) to the primary unit. However this did not happen, and I needed to issue the "write standby" command on the secondary (active unit) in order for the config sync to commence. Unfortunately at this stage, the primary assumed the active state, which is not what I wanted to happen.

Can someone let me know what the correct way of doing this would be, to ensure the secondary unit would remain active, and simply replicate config to the primary unit, without the primary unit becoming active at any stage.

Thanks,

Charles

fedrodri · ‎05-24-2005

Hi, Charles

The problem is at step number 2. Once you have the replacement unit installed, keep it powered off. Then connect all the cables, including the failover serial cable and then power the primary (replacement) unit up. The configuration replication occurs only upon one of the following three events:

1. When the standby unit (in your case the Primary) unit completes the boot up process.

2. As commands are entered on the active unit.

3. When the 'write standby' command is entered.

-- How failover works (Replicate the PIX Configuration):

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094ea7.shtml#replicating

That should keep the config sync'ed and the Secondary still be the active unit.

Hope that helps!

Best regards,

Federico Rodriguez