11-10-2010 07:16 AM - edited 02-21-2020 04:58 PM
Hi,
Got a pair of PIX 525's on version 6.3(4) running in active/failover mode, I have recently configured VPN's authenticated by certificates, which involved the use of SCEP in order to get the certificate on to the PIX. The certificates were imported to the PIX from a Windows CA server with SCEP add-in using the instructions described here: http://www.ciscosystems.com/en/US/docs/security/pix/pix63/configuration/guide/sit2site.html#wp1007263 .
All of this is working fine, the configuration was saved, the certificates where saved using 'ca save all', everything is working fine except the certificates that were imported have not been replicated to the failover PIX - the command 'show ca certificate', does not show any certs.
The private keys shown by 'sh ca mypubkey rsa' are the same on both devices.
I'm not able to find any documentation regarding how the certificates should be replicated to the failover PIX, and it is not possible to enroll the certificates again on the failover PIX using the commands they have initially been imported by:
pix-fw# conf t
**** WARNING ***
Configuration Replication is NOT performed from Standby unit to Active unit.
Configurations are no longer synchronized.
pix-fw(config)# ca auth ca
**** WARNING ***
Configuration Replication is NOT performed from Standby unit to Active unit.
Configurations are no longer synchronized.
Has anyone else experienced similar issue or how to get failover PIX with new ca certificates?
Regards,
Sarunas
Solved! Go to Solution.
11-16-2010 01:42 AM
Hi Sarunas
Pix 6 indeed does not sync the keys and certificate automatically.
However you should be able to acomplish this by first forcing a failover (i.e. making the secondary active), then enrolling the (now active) secondary with the CA.
hth
Herbert
11-16-2010 01:42 AM
Hi Sarunas
Pix 6 indeed does not sync the keys and certificate automatically.
However you should be able to acomplish this by first forcing a failover (i.e. making the secondary active), then enrolling the (now active) secondary with the CA.
hth
Herbert
11-22-2010 01:23 AM
Hi Herbert,
I have successfully enrolled the certificates on the secondary PIX after I triggered a manual failover.
Thanks for your help!
Sarunas
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide