Solved

PIX 515e license - failover setup problem

Posted on 2006-10-31
3
2,077 Views
Last Modified: 2007-12-19
Hi,
Is there a way to enable DES license on PIX 515e without disabling existing licenses?

We have two PIX 515e one UR, the other is failover. When I tried to setup failover pix I noticed following message on active pix:

"Mate's license (VPN-DES Enabled) is not compatible with my license (VPN-DES Disabled). Failover will be disabled."

Then I did show ver on both pixes:

------------------------------------

Active PIX:

Cisco PIX Security Appliance Software Version 7.0(2)
Device Manager Version 5.0(2)
Compiled on Fri 15-Jul-05 22:55 by builders
System image file is "flash:/pix702.bin"
Config file at boot was "startup-config"

Pix515E up 19 hours 1 min

Hardware:   PIX-515E, 128 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0xfff00000, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

Encryption hardware device : VAC+ (Crypto5823 revision 0x1)
 0: Ext: Ethernet0           : address is 0016.46c6.cb42, irq 10
 1: Ext: Ethernet1           : address is 0016.46c6.cb43, irq 11
 2: Ext: Ethernet2           : address is 0005.5d18.2cf2, irq 11
 3: Ext: Ethernet3           : address is 0005.5d18.2ac5, irq 10
 4: Ext: Ethernet4           : address is 0005.5d18.267c, irq 9
 5: Ext: Ethernet5           : address is 0005.5d18.28ff, irq 5

Licensed features for this platform:
Maximum Physical Interfaces : 6    
Maximum VLANs               : 25      
Inside Hosts                : Unlimited
Failover                    : Active/Active
VPN-DES                     : Disabled  
VPN-3DES-AES                : Enabled  
Cut-through Proxy           : Enabled  
Guards                      : Enabled  
URL Filtering               : Enabled  
Security Contexts           : 2        
GTP/GPRS                    : Disabled  
VPN Peers                   : Unlimited  

This platform has an Unrestricted (UR) license.

-----------------------------------------------------------

Standby PIX:

Cisco PIX Security Appliance Software Version 7.0(4)
Device Manager Version 5.0(4)

Compiled on Thu 13-Oct-05 21:43 by builders
System image file is "flash:/image"
Config file at boot was "startup-config"

pixfirewall up 23 mins 50 secs

Hardware:   PIX-515E, 128 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0xfff00000, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

Encryption hardware device : VAC+ (Crypto5823 revision 0x1)
 0: Ext: Ethernet0           : address is 0016.c8d1.83b1, irq 10
 1: Ext: Ethernet1           : address is 0016.c8d1.83b2, irq 11
 2: Ext: Ethernet2           : address is 000d.8811.7eec, irq 11
 3: Ext: Ethernet3           : address is 000d.8811.7eed, irq 10
 4: Ext: Ethernet4           : address is 000d.8811.7eee, irq 9
 5: Ext: Ethernet5           : address is 000d.8811.7eef, irq 5

Licensed features for this platform:
Maximum Physical Interfaces : 6
Maximum VLANs               : 25
Inside Hosts                : Unlimited
Failover                    : Active/Standby
VPN-DES                     : Enabled
VPN-3DES-AES                : Enabled
Cut-through Proxy           : Enabled
Guards                      : Enabled
URL Filtering               : Enabled
Security Contexts           : 2
GTP/GPRS                    : Disabled
VPN Peers                   : Unlimited

This platform has a Failover Only-Active/Standby (FO) license.

-------------------

I received activation key from Cisco but based on licenses they listed in e-mail I was not sure it would be a smart idea to activate this key since it could possibly disable some of the existing licenses. These licenses were listed in message I got from Cisco:

Failover                    : Enabled  
VPN-DES                     : Enabled  
VPN-3DES-AES                : Enabled  
FO                          : Disabled  
FO-AA                       : Disabled  
Security Contexts           : 2        
GTP/GPRS                    : Disabled  

Is there a way to enable DES license or make PIXes work in active/standby failover mode without changing licenses for active PIX?

Thanks

P.S. I noticed that OS versions are not 100% same: 7.0(2)  and 7.0(4). Is this an issue for active/standby layout?
0
Comment
Question by:milan_novkovic
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 17847058
Active and failover absolutely must have same version 100%
The only way to change the enabled/disabled is by activating the new key. By all means, go ahead and load the key that Cisco sent you.
0
 

Author Comment

by:milan_novkovic
ID: 17849026
I managed to activate licence key which had DES and 3DES/AES licences which solved the issue of DES licence being disabled.

Btw, failover is working correctly though PIX OS versions are 7.0(2)  and 7.0(4). I tried switching off and on first the main pix then the failover one and everything worked ok. Guess 7.0(2)  and 7.0(4) versions are not that different to prevent failover from working.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17849086
I still highly advise getting the same version on both.
0

Featured Post

Are You Headed to Black Hat USA 2017?

Getting ready for Black Hat next week? Kick things off with the WatchGuard Badge Challenge and test your puzzle and cipher skills. Do you have what it takes to earn our limited edition Firebox Badge? Get started today - https://crimsonthorn.net

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Suggested Courses
Course of the Month11 days, 13 hours left to enroll

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question