Solved

PIX 515e license - failover setup problem

Posted on 2006-10-31
3
2,059 Views
Last Modified: 2007-12-19
Hi,
Is there a way to enable DES license on PIX 515e without disabling existing licenses?

We have two PIX 515e one UR, the other is failover. When I tried to setup failover pix I noticed following message on active pix:

"Mate's license (VPN-DES Enabled) is not compatible with my license (VPN-DES Disabled). Failover will be disabled."

Then I did show ver on both pixes:

------------------------------------

Active PIX:

Cisco PIX Security Appliance Software Version 7.0(2)
Device Manager Version 5.0(2)
Compiled on Fri 15-Jul-05 22:55 by builders
System image file is "flash:/pix702.bin"
Config file at boot was "startup-config"

Pix515E up 19 hours 1 min

Hardware:   PIX-515E, 128 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0xfff00000, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

Encryption hardware device : VAC+ (Crypto5823 revision 0x1)
 0: Ext: Ethernet0           : address is 0016.46c6.cb42, irq 10
 1: Ext: Ethernet1           : address is 0016.46c6.cb43, irq 11
 2: Ext: Ethernet2           : address is 0005.5d18.2cf2, irq 11
 3: Ext: Ethernet3           : address is 0005.5d18.2ac5, irq 10
 4: Ext: Ethernet4           : address is 0005.5d18.267c, irq 9
 5: Ext: Ethernet5           : address is 0005.5d18.28ff, irq 5

Licensed features for this platform:
Maximum Physical Interfaces : 6    
Maximum VLANs               : 25      
Inside Hosts                : Unlimited
Failover                    : Active/Active
VPN-DES                     : Disabled  
VPN-3DES-AES                : Enabled  
Cut-through Proxy           : Enabled  
Guards                      : Enabled  
URL Filtering               : Enabled  
Security Contexts           : 2        
GTP/GPRS                    : Disabled  
VPN Peers                   : Unlimited  

This platform has an Unrestricted (UR) license.

-----------------------------------------------------------

Standby PIX:

Cisco PIX Security Appliance Software Version 7.0(4)
Device Manager Version 5.0(4)

Compiled on Thu 13-Oct-05 21:43 by builders
System image file is "flash:/image"
Config file at boot was "startup-config"

pixfirewall up 23 mins 50 secs

Hardware:   PIX-515E, 128 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0xfff00000, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

Encryption hardware device : VAC+ (Crypto5823 revision 0x1)
 0: Ext: Ethernet0           : address is 0016.c8d1.83b1, irq 10
 1: Ext: Ethernet1           : address is 0016.c8d1.83b2, irq 11
 2: Ext: Ethernet2           : address is 000d.8811.7eec, irq 11
 3: Ext: Ethernet3           : address is 000d.8811.7eed, irq 10
 4: Ext: Ethernet4           : address is 000d.8811.7eee, irq 9
 5: Ext: Ethernet5           : address is 000d.8811.7eef, irq 5

Licensed features for this platform:
Maximum Physical Interfaces : 6
Maximum VLANs               : 25
Inside Hosts                : Unlimited
Failover                    : Active/Standby
VPN-DES                     : Enabled
VPN-3DES-AES                : Enabled
Cut-through Proxy           : Enabled
Guards                      : Enabled
URL Filtering               : Enabled
Security Contexts           : 2
GTP/GPRS                    : Disabled
VPN Peers                   : Unlimited

This platform has a Failover Only-Active/Standby (FO) license.

-------------------

I received activation key from Cisco but based on licenses they listed in e-mail I was not sure it would be a smart idea to activate this key since it could possibly disable some of the existing licenses. These licenses were listed in message I got from Cisco:

Failover                    : Enabled  
VPN-DES                     : Enabled  
VPN-3DES-AES                : Enabled  
FO                          : Disabled  
FO-AA                       : Disabled  
Security Contexts           : 2        
GTP/GPRS                    : Disabled  

Is there a way to enable DES license or make PIXes work in active/standby failover mode without changing licenses for active PIX?

Thanks

P.S. I noticed that OS versions are not 100% same: 7.0(2)  and 7.0(4). Is this an issue for active/standby layout?
0
Comment
Question by:milan_novkovic
  • 2
3 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
Comment Utility
Active and failover absolutely must have same version 100%
The only way to change the enabled/disabled is by activating the new key. By all means, go ahead and load the key that Cisco sent you.
0
 

Author Comment

by:milan_novkovic
Comment Utility
I managed to activate licence key which had DES and 3DES/AES licences which solved the issue of DES licence being disabled.

Btw, failover is working correctly though PIX OS versions are 7.0(2)  and 7.0(4). I tried switching off and on first the main pix then the failover one and everything worked ok. Guess 7.0(2)  and 7.0(4) versions are not that different to prevent failover from working.
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
I still highly advise getting the same version on both.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now