Solved

PIX 515e license - failover setup problem

Posted on 2006-10-31
3
2,068 Views
Last Modified: 2007-12-19
Hi,
Is there a way to enable DES license on PIX 515e without disabling existing licenses?

We have two PIX 515e one UR, the other is failover. When I tried to setup failover pix I noticed following message on active pix:

"Mate's license (VPN-DES Enabled) is not compatible with my license (VPN-DES Disabled). Failover will be disabled."

Then I did show ver on both pixes:

------------------------------------

Active PIX:

Cisco PIX Security Appliance Software Version 7.0(2)
Device Manager Version 5.0(2)
Compiled on Fri 15-Jul-05 22:55 by builders
System image file is "flash:/pix702.bin"
Config file at boot was "startup-config"

Pix515E up 19 hours 1 min

Hardware:   PIX-515E, 128 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0xfff00000, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

Encryption hardware device : VAC+ (Crypto5823 revision 0x1)
 0: Ext: Ethernet0           : address is 0016.46c6.cb42, irq 10
 1: Ext: Ethernet1           : address is 0016.46c6.cb43, irq 11
 2: Ext: Ethernet2           : address is 0005.5d18.2cf2, irq 11
 3: Ext: Ethernet3           : address is 0005.5d18.2ac5, irq 10
 4: Ext: Ethernet4           : address is 0005.5d18.267c, irq 9
 5: Ext: Ethernet5           : address is 0005.5d18.28ff, irq 5

Licensed features for this platform:
Maximum Physical Interfaces : 6    
Maximum VLANs               : 25      
Inside Hosts                : Unlimited
Failover                    : Active/Active
VPN-DES                     : Disabled  
VPN-3DES-AES                : Enabled  
Cut-through Proxy           : Enabled  
Guards                      : Enabled  
URL Filtering               : Enabled  
Security Contexts           : 2        
GTP/GPRS                    : Disabled  
VPN Peers                   : Unlimited  

This platform has an Unrestricted (UR) license.

-----------------------------------------------------------

Standby PIX:

Cisco PIX Security Appliance Software Version 7.0(4)
Device Manager Version 5.0(4)

Compiled on Thu 13-Oct-05 21:43 by builders
System image file is "flash:/image"
Config file at boot was "startup-config"

pixfirewall up 23 mins 50 secs

Hardware:   PIX-515E, 128 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0xfff00000, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

Encryption hardware device : VAC+ (Crypto5823 revision 0x1)
 0: Ext: Ethernet0           : address is 0016.c8d1.83b1, irq 10
 1: Ext: Ethernet1           : address is 0016.c8d1.83b2, irq 11
 2: Ext: Ethernet2           : address is 000d.8811.7eec, irq 11
 3: Ext: Ethernet3           : address is 000d.8811.7eed, irq 10
 4: Ext: Ethernet4           : address is 000d.8811.7eee, irq 9
 5: Ext: Ethernet5           : address is 000d.8811.7eef, irq 5

Licensed features for this platform:
Maximum Physical Interfaces : 6
Maximum VLANs               : 25
Inside Hosts                : Unlimited
Failover                    : Active/Standby
VPN-DES                     : Enabled
VPN-3DES-AES                : Enabled
Cut-through Proxy           : Enabled
Guards                      : Enabled
URL Filtering               : Enabled
Security Contexts           : 2
GTP/GPRS                    : Disabled
VPN Peers                   : Unlimited

This platform has a Failover Only-Active/Standby (FO) license.

-------------------

I received activation key from Cisco but based on licenses they listed in e-mail I was not sure it would be a smart idea to activate this key since it could possibly disable some of the existing licenses. These licenses were listed in message I got from Cisco:

Failover                    : Enabled  
VPN-DES                     : Enabled  
VPN-3DES-AES                : Enabled  
FO                          : Disabled  
FO-AA                       : Disabled  
Security Contexts           : 2        
GTP/GPRS                    : Disabled  

Is there a way to enable DES license or make PIXes work in active/standby failover mode without changing licenses for active PIX?

Thanks

P.S. I noticed that OS versions are not 100% same: 7.0(2)  and 7.0(4). Is this an issue for active/standby layout?
0
Comment
Question by:milan_novkovic
  • 2
3 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 17847058
Active and failover absolutely must have same version 100%
The only way to change the enabled/disabled is by activating the new key. By all means, go ahead and load the key that Cisco sent you.
0
 

Author Comment

by:milan_novkovic
ID: 17849026
I managed to activate licence key which had DES and 3DES/AES licences which solved the issue of DES licence being disabled.

Btw, failover is working correctly though PIX OS versions are 7.0(2)  and 7.0(4). I tried switching off and on first the main pix then the failover one and everything worked ok. Guess 7.0(2)  and 7.0(4) versions are not that different to prevent failover from working.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17849086
I still highly advise getting the same version on both.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Network bottleneck identifier 13 52
Changing password for HP switch 5 40
Setup small office network 1 22
can't ssh to external IP 9 26
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question