08-30-2009 06:15 PM
I am looking for step by step procedure to replace the Secondary PIX.
We have a Primary PIX 515E with UR ( unrestricted license ) and a Secondary PIX515E with FO ( Failover License ) both running code 6.3(1) with Serial Cable Failover.
The FO unit failed.
I placed and received a RMA unit with FO license. It came with version 6.3(5) and I wanted to downgrade this spare unit to 6.3(1) before I went and connected it to the Production Primary Unit, because both units have to run the same code.
So I setup teh spare PIX on teh bench with my Laptop.
I had hell of a trouble getting IP connectivity between my Laptop Ethernet Port and the spare PIX515E inside interface until someone helped me out.
I was asked to do a show failover and found that the unit is in standby.
Then I did failover followed by failover standby.
Then when I did show failover, it said active.
Then I could get IP connectivity and TFTP 6.3(1) code into this unit.
Now I want to connect the above spare to the production Primary PIX.
I presume I should be able to do this without having to shut the primary unit as explained in this link:
http://www.cisco.com/en/US/docs/security/pix/pix63/hw/installation/guide/515.html#wp1048874
It sounds crazy to me that the above link asks to turn OFF both PIX.
So, I plan to connect the spare to the production PIX (without truning OFF the production PIX) and I hope that the config from the Primary will AUTOMATICALLY sync to this spare unit.
OR
Do I have to do a command such as write standby
Are all these procedures documented clearly at any url.
08-31-2009 07:16 PM
FO unit cannot operate in standalone mode. Thats the reason you had issues in getting IP connectivity
The link you referred is for initial failover setup. To bring up secondary, you dont need to power off Primary. Make sure the serial cable (secondary end) is connected properly. However, I would recommend a backup config from the Primary pix before connecting secondary, just incase.
08-31-2009 07:21 PM
Srini,
Thanks.
We attached the FO unit to teh working Primary unit and all went well including config sync.
Initially teh Primary said OS mismatch although both were at 6.3(1) but then it all went well.
Do I now need to do any
write mem on FO unit
or
write standby on Primary unit
to store config in NVRAm of Fo unit.
08-31-2009 07:43 PM
Yes, you should "write standby" in primary , to save the config in secondary's nvram.
Or "write mem" in primary would do the same as well.
08-31-2009 08:01 PM
Srini,
Thanks
I will do
write stanby on Primary
Can you point me a link that explains on a step by step procedure on replacing FO unit or on replacing a unit that had unrestricted license and has failed?
09-01-2009 01:02 PM
I dont find a link that has specific procedure.Usually replacing FO unit is as simple as connecting to the failover cable. Incase primary failed, the secondary remains Active until another manual failover happens again. Effectively, the new unit after replacement will come as standby. However, if you are using LAN Based failover, there is little configuration needed in the secondary unit before establishing failover sync with primary. That config should be same as bringing up a new failover pair.
You might have seen this link, just attaching incase.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094ea7.shtml
The procedure should not be any different if the unit failed had unrestricted license. In case the new unit miss out individual feature license, you will have to reach licensing team.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide