PIX 515 - CA config not synced to failover unit?

Discussion in 'Cisco' started by Patrick M. Hausen, Jun 23, 2005.

  1. Hi, Cisco wizards!

    Subject says it: I have a HA/failover pair running 6.3.4.

    I connected the PIX to an MS CA on Win2K server.

    ca identity
    ca configure
    ca authenticate
    ca enroll

    Everything went as expected, VPN clients can connect.

    Then we had a failover - seems like "write standby" does
    not sync the firewall and CA certificate?

    Is this documented somewhere? Should I just enroll both
    systems with the CA?

    Patrick M. Hausen, Jun 23, 2005
    1. Advertisements

  2. Patrick M. Hausen

    Waqas Guest


    this is because u have create a seperate identity certificate for the
    other pix firewall.
    two devices can not have the same single certificate.

    so u have to manually enroll the other pix firewall with MS CA.
    Waqas, Jun 23, 2005
    1. Advertisements

  3. Hi!

    OK. That's what I figured anyway.
    I just wanted to add that seemingly you can't enroll the
    firewall that is currently in passive mode.
    So you have to enroll the active firewall, force a failover,
    then enroll the second node.

    Just in case somebody else faces the same problem.

    Thanks for your help.
    Patrick M. Hausen, Jun 27, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.