September 24th, 2002, 01:50 AM
Cisco PIX 525 Failover Question
So, before I open a Cisco TAC case on this, I thought I would see if I can get my answer here. First let me give a little background. I have a Cisco PIX 525 firewall that is connected to a failover PIX. I need to remove the primary PIX and replace it with another PIX 525 that will not connect to the failover. This is due to the fact that this PIX does not have the ability to utilize the failover option. I want to leave the failover in place in the event the new primary goes down. Of course, I would have to switch it over manually but that is not a problem. In a few weeks, the old configuration will be put in place.
I know that a failover cannot be configured directly but only via the primary. I just want to be sure that when I remove the old primary, the configuration in the failover will stay even if I shut it down and fire it up at a later date.
BTW, I tought it might be a good idea to post this question here. When an answer is made available, even if I end up suppling it from Cisco TAC, it can be a resource for others.
September 25th, 2002, 09:02 PM
Ok since I have not heard from anyone here....I have the answer from TAC.
I can think of some potential catches with this plan, but its not
necessarily a bad one. The main issue I can think of is whether the
secondary unit is a failover only model (you can verify this by running a
show version on the unit). If this is the case, then the secondary unit
will not run for long disconnected from the primary (and it needs the
failover cable connected to boot entirely). Also, if the unit is not a
failover only pix, you should make certain that the configuration is saved
to the standby unit so that it can run on its own (a standby unit will
receive its configuration from the primary, so its not necessary for the
standby unit to actually have the configuration saved).
If the standby unit is not a failover only model, then your plan should
work fine. However, in that case, you should not need to remove the
primary unit. You could actually take the secondary unit and move it to
the new facility. This way, the network will not need to be disrupted by
the removal of the pix (as the secondary unit will have been removed). You
can then make the secondary unit the new primary unit at the other facility
(and therefore not disrupt the network when you add the pix from the old
facility to the new facility).
If the standby unit is a failover only model, then you will not be able to
simply add the pix to the network if your replacement is not performing
well. However, you could likely have the secondary unit act as the
secondary unit for your temporary replacement (assuming that they have an
identical hardware configuration that is).
September 25th, 2002, 10:51 PM
go to cramsessions.com in the discussions, there all a few ccie's and double ccie's in there answering questions. Also there is a board on cisco's website that ccie's reply to posts.
September 26th, 2002, 12:59 AM