Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
336
Views
0
Helpful
2
Replies

Secondary Standby PIX management

deckland
Level 1
Level 1

‎02-07-2005 01:27 AM - edited ‎02-20-2020 11:55 PM

Hi guys,

Two PIX 525 in failover topology. on every pix, the first iface is used for vlan logical interfaces (different security levels, etc) and the second ethernet is for failover/state link. everything works fine, and the problem is not related to the failover functions at all.

the second (standby) pix gets the configuration from the primary one (note it's lan based failover ), so if the primary outside iface is 100.100.100.1, the secondary pix get 100.100.100.2 as its outside address. as i'd like to be able to ssh/telnet to manage the secondary pix(when it's still standby), i notices ssh/telnet/ping doesn't work to/from 100.100.100.2 . as oppposed to this, i don't have prlbmes pinging/telneting to the secondary pix failover ip address.

during debugs on the switch and secondary pix, i'm able to see the arp requests from the switch, comming in the secondary pix, i see the pix is sending out the arp-replys, but don't see them getting in the switch. as i'm trying to reach outside ip address, it's a logical vlan interfaces, and trunking is ok (proved when i force failover and the secondary pix get the primary pix ip address for outside,..) . so guys, anyoune so inside the pix ideas for how the thinkgs should be running. after all, aren't the two pixes supposed to send hellos on all interfaces (or are those hellos not layer3 ip packets ). anyway, i definetelly think the switch and the secondary pix should see each other mac addresses, right.

10x for your help!

0 Helpful
2 Replies 2

ehirsel
Level 6
Level 6

‎02-07-2005 07:36 AM

You mentioned that you are able to ping and telnet the secondary failover ip address.

At the primary pix do the following:

show failover

show telnet

show ssh

show route

Do the same on the secondary pix and note if there are any differences. If so, post them here.

With regards to ssh: Each pix needs to have its own key that does not depend upon failover, as this rsa key is stored in nvram. So you need to run these commands on each pix:

1. ca generate rsa key mod-size where mod-size can range from 768 to a number higher than 1024 (I think it is 2048). Use 1024 as a good security practice.

2. ca save all

Note that you must configure a domain name as well as a hostname before you run the ca generate command.

0 Helpful

deckland
Level 1
Level 1
In response to ehirsel

‎02-07-2005 03:31 PM

10x for your suggestions.

turned out to be buggy hsrp problem on the switches connecting the pixes. you're right anyway - need ca generate rsa key command for ssh access, though the domain and hostname can be received from primary pix.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card