Solved

Replacing a redundant pix-what do I need to be careful of?

Posted on 2009-04-06
5
366 Views
Last Modified: 2012-05-06
We have two Pix 515e's in a failover conifguration.  One of these 515s is giving us problems, so we're going to replace it tonight. Now here's my question:

Do I need to configure this pix to match the existing pix? Or will it pull down the same settings as the primary pix, if we connect it as a "failover."  I hope I am being clear with my question. We have two pix's mirrored. One is primary, one is failover. One of them died so we are replacing it

Anything I need to watch out for?
0
Comment
Question by:dissolved
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 5

Assisted Solution

by:andrewis
andrewis earned 100 total points
ID: 24081837
all you need to do is configure failover and enable it. Once installed the configuration will be replicated to the box.


0
 

Author Comment

by:dissolved
ID: 24082884
how do I configure failover? Never done this before? Also, the damn license I have isn't a failover license (found out too late). I emailed cisco about this. How is a new license installed? Is it tied to my serial number
0
 
LVL 57

Accepted Solution

by:
Pete Long earned 400 total points
ID: 24085377
>>I have isn't a failover license
If you have an unrestrictred licence you can still deploy in failover mode - the only limitation is, a firewall with a failover licence can only be deployed as a failover firewall (or it reboots every 24 hours).

PIX / ASA Failover

1. Backup running config on the primary firewall.
RSFWALL1# copy run flash:/before_failover.cfg
Source filename [running-config]?
Destination filename [before_failover.cfg]?
Cryptochecksum: babed83d 62a5fba7 e5ea368d 642157bd
8549 bytes copied in 3.670 secs (2849 bytes/sec)
RSFWALL1#
2. Blow away the config in the interface you are going to use for failover.
RSFWALL1(config)# clear configure interface m0/0
RSFWALL1(config)# int m0/0
RSFWALL1(config-if)# no shut
RSFWALL1(config)#
3. Change the interface IP addresses  (to add the standby addresses for each interface)
RSFWALL1(config)# interface Ethernet0/0
RSFWALL1(config-if)#  speed 100
RSFWALL1(config-if)#  duplex full
RSFWALL1(config-if)#  nameif Outside
RSFWALL1(config-if)#  security-level 0
RSFWALL1(config-if)#  ip address 1.254.170.225 255.255.255.0 standby 1.254.1$
RSFWALL1(config-if)# interface Ethernet0/1
RSFWALL1(config-if)#  speed 100
RSFWALL1(config-if)#  duplex full
RSFWALL1(config-if)#  nameif DMZ1
RSFWALL1(config-if)#  security-level 50
RSFWALL1(config-if)#  ip address 172.31.5.1 255.255.255.0 standby 172.31.5.254
RSFWALL1(config-if)# interface Ethernet0/2
RSFWALL1(config-if)#  speed 100
RSFWALL1(config-if)#  duplex full
RSFWALL1(config-if)#  nameif DMZ2
RSFWALL1(config-if)#  security-level 55
RSFWALL1(config-if)#  ip address 172.31.4.1 255.255.255.0 standby 172.31.4.254
RSFWALL1(config-if)# interface Ethernet0/3
RSFWALL1(config-if)#  speed 100
RSFWALL1(config-if)#  duplex full
RSFWALL1(config-if)#  nameif Inside
RSFWALL1(config-if)#  security-level 100
RSFWALL1(config-if)#  ip address 172.31.3.3 255.255.255.0 standby 172.31.3.254
4. Set up the failover LAN interface (In config mode!).
RSFWALL1(config)# failover lan interface failover m0/0
INFO: Non-failover interface config is cleared on Management0/0 and its sub-inte
rfaces
RSFWALL1(config)#

5. Setup failover link IP address.
RSFWALL1(config)# failover interface ip failover 172.16.254.254 255.255.255.0 standby 172.16.254.250
RSFWALL1(config)#
6. Setup a shared key.
RSFWALL1(config)#
RSFWALL1(config)# failover lan key 666999
RSFWALL1(config)#
7. Set it as the primary unit.
RSFWALL1(config)#
RSFWALL1(config)# failover lan unit primary
RSFWALL1(config)#
8. Turn on failover.
RSFWALL1(config)# failover
RSFWALL1(config)#
9. Save the config
RSFWALL1(config)# write mem
Building configuration...
Cryptochecksum: 5c8dfc45 ee6496db 8731d2d5 fa945425
8695 bytes copied in 3.670 secs (2898 bytes/sec)
[OK]
RSFWALL1(config)#
10 Go to the Second PIX!!
11. Enter enable mode
ciscoasa> en
Password:
ciscoasa#
12. Open the failover link and do a no shut.
Ciscoasa# conf t
ciscoasa(config)# interface m0/0
ciscoasa(config-if)# no shut
ciscoasa(config-if)# exit
ciscoasa(config)#

13. Turn on LAN interface for failover
ciscoasa(config)# failover lan interface failover m0/0
INFO: Non-failover interface config is cleared on Management0/0 and its sub-inte
rfaces
ciscoasa(config)#
14. Give it an IP address
ciscoasa(config)# failover interface ip failover 172.16.254.254 255.255.255.0 standby 172.16.254.250
15. Give it the same key you used above.
Ciscoasa(config)#
ciscoasa(config)# failover lan key 666999
ciscoasa(config)#
16. Set it as the secondary (standby unit).
Ciscoasa(config)# failover lan unit secondary
17. Turn on failover.
Ciscoasa(config)#
ciscoasa(config)# failover
   You should see................
            Detected an Active mate
Beginning configuration replication from mate.

18. On the secondary firewall show failover
RSFWALL1(config)# show failover
Failover On
Failover unit Secondary
Failover LAN Interface: failover Management0/0 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 250 maximum
Version: Ours 7.2(2), Mate 7.0(5)
Last Failover at: 14:49:43 UTC May 4 2007
        This host: Secondary - Standby Ready
                Active time: 0 (sec)
                slot 0: ASA5510 hw/sw rev (1.1/7.2(2)) status (Up Sys)
                  Interface Outside (1.254.170.254): Link Down (Waiting)
                  Interface DMZ1 (172.31.5.254): Link Down (Waiting)
                  Interface DMZ2 (172.31.4.254): Link Down (Waiting)
                  Interface Inside (172.31.3.254): Link Down (Waiting)
                slot 1: empty
        Other host: Primary - Active
                Active time: 514 (sec)
                slot 0: ASA5510 hw/sw rev (1.1/7.0(5)) status (Up Sys)
                  Interface Outside (1.254.170.225): Link Down (Waiting)
                  Interface DMZ1 (172.31.5.1): Link Down (Waiting)
                  Interface DMZ2 (172.31.4.1): Link Down (Waiting)
                  Interface Inside (172.31.3.3): Link Down (Waiting)
                slot 1: empty
Stateful Failover Logical Update Statistics
        Link : Unconfigured.

19. On the Primary firewall show failover.
SFWALL1# show failover
Failover On
Failover unit Primary
Failover LAN Interface: failover Management0/0 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 15 seconds
Interface Policy 1
Monitored Interfaces 4 of 250 maximum
Version: Ours 7.0(5), Mate 7.2(2)
Last Failover at: 13:21:42 UTC May 4 2007
        This host: Primary - Active
                Active time: 616 (sec)
                slot 0: ASA5510 hw/sw rev (1.1/7.0(5)) status (Up Sys)
                slot 1: empty
                Interface Outside (1.254.170.225): Link Down (Waiting)
                Interface DMZ1 (172.31.5.1): Link Down (Waiting)
                Interface DMZ2 (172.31.4.1): Link Down (Waiting)
                Interface Inside (172.31.3.3): Link Down (Waiting)
        Other host: Secondary - Standby Ready
                Active time: 0 (sec)
                slot 0: ASA5510 hw/sw rev (1.1/7.2(2)) status (Up Sys)
                slot 1: empty
                Interface Outside (1.254.170.254): Link Down (Waiting)
                Interface DMZ1 (172.31.5.254): Link Down (Waiting)
                Interface DMZ2 (172.31.4.254): Link Down (Waiting)
                Interface Inside (172.31.3.254): Link Down (Waiting)
Stateful Failover Logical Update Statistics
        Link : Unconfigured.
20. On the Primary ASA
RSFWALL1(config)# failover poll 1 hol 3
RSFWALL1(config)# failover poll interface 3
RSFWALL1(config)# int m0/0
RSFWALL1(config-if)# failover poll interface 3
RSFWALL1(config)#
21. Save the config.
SFWALL1(config)# write mem
Building configuration...
Cryptochecksum: 6650f6c9 09bbb5f0 0dafa0d1 8fc08aba
8756 bytes copied in 3.680 secs (2918 bytes/sec)
[OK]
RSFWALL1(config)#
22. When done pull the power on ASA 1 to fail.
0
 

Author Comment

by:dissolved
ID: 24086332
Pete, thanks for that bud.  Can you tell me if the above is what I need to do, if its already in failover mode?  What I mean is, we already have a failover setup. One of the pix's in the setup went bad and we are replacing it. Since we already had it configured, is it as simple as just swapping it out?

thanks
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 24110051
If your allready in failover mode you just need to detect the failover partner and the config will replicate :)
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
no PBR recursive or PBR 9 31
Cisco RV042G 4 26
Edge switch problems cisco 2960 25 83
Cisco router is restricting wireless bandwidth download and upload speed 38 90
Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question