PIX 515 - CA config not synced to failover unit?

Hi, Cisco wizards!

Subject says it: I have a HA/failover pair running 6.3.4.

I connected the PIX to an MS CA on Win2K server.

ca identity ca configure ca authenticate ca enroll

Everything went as expected, VPN clients can connect.

Then we had a failover - seems like "write standby" does not sync the firewall and CA certificate?

Is this documented somewhere? Should I just enroll both systems with the CA?

Thanks, Patrick

Reply to
Patrick M. Hausen
Loading thread data ...

hiii

this is because u have create a seperate identity certificate for the other pix firewall. two devices can not have the same single certificate.

so u have to manually enroll the other pix firewall with MS CA.

Reply to
Waqas

OK. That's what I figured anyway.

I just wanted to add that seemingly you can't enroll the firewall that is currently in passive mode. So you have to enroll the active firewall, force a failover, then enroll the second node.

Just in case somebody else faces the same problem.

Thanks for your help. Patrick

Reply to
Patrick M. Hausen

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.