Cisco PIX 525 Failover Question
Results 1 to 4 of 4

Thread: Cisco PIX 525 Failover Question

  1. #1

    Cisco PIX 525 Failover Question

    So, before I open a Cisco TAC case on this, I thought I would see if I can get my answer here. First let me give a little background. I have a Cisco PIX 525 firewall that is connected to a failover PIX. I need to remove the primary PIX and replace it with another PIX 525 that will not connect to the failover. This is due to the fact that this PIX does not have the ability to utilize the failover option. I want to leave the failover in place in the event the new primary goes down. Of course, I would have to switch it over manually but that is not a problem. In a few weeks, the old configuration will be put in place.
    I know that a failover cannot be configured directly but only via the primary. I just want to be sure that when I remove the old primary, the configuration in the failover will stay even if I shut it down and fire it up at a later date.


    BTW, I tought it might be a good idea to post this question here. When an answer is made available, even if I end up suppling it from Cisco TAC, it can be a resource for others.

  2. #2
    Ok since I have not heard from anyone here....I have the answer from TAC.

    I can think of some potential catches with this plan, but its not
    necessarily a bad one. The main issue I can think of is whether the
    secondary unit is a failover only model (you can verify this by running a
    show version on the unit). If this is the case, then the secondary unit
    will not run for long disconnected from the primary (and it needs the
    failover cable connected to boot entirely). Also, if the unit is not a
    failover only pix, you should make certain that the configuration is saved
    to the standby unit so that it can run on its own (a standby unit will
    receive its configuration from the primary, so its not necessary for the
    standby unit to actually have the configuration saved).

    If the standby unit is not a failover only model, then your plan should
    work fine. However, in that case, you should not need to remove the
    primary unit. You could actually take the secondary unit and move it to
    the new facility. This way, the network will not need to be disrupted by
    the removal of the pix (as the secondary unit will have been removed). You
    can then make the secondary unit the new primary unit at the other facility
    (and therefore not disrupt the network when you add the pix from the old
    facility to the new facility).

    If the standby unit is a failover only model, then you will not be able to
    simply add the pix to the network if your replacement is not performing
    well. However, you could likely have the secondary unit act as the
    secondary unit for your temporary replacement (assuming that they have an
    identical hardware configuration that is).

  3. #3
    Junior Member
    Join Date
    Sep 2002


    go to in the discussions, there all a few ccie's and double ccie's in there answering questions. Also there is a board on cisco's website that ccie's reply to posts.

  4. #4
    Good idea...Thanks.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts