Document ID: 70390
Contents
Introduction
Prerequisites
Requirements
Components Used
Related Products
Conventions
Procedure For Upgrading License
New Activation Key
Upgrading License
Verify the Key
NetPro Discussion Forums - Featured Conversations
Related Information
Introduction
While upgrading the license for failover units, it is not possible to avoid the network down time, however the downtime can be minimized. This document focuses on how to minimize the downtime during the upgrade of license in failover pair.
Cisco PIX 515, 515E, 525, and 535 Security Appliances support the concept of a Platform License. License levels range from Restricted (R), Unrestricted (UR), Failover (FO), and Failover-Active/Active (FO-AA).
The security appliance supports two failover configurations: Active/Active Failover and Active/Standby Failover.
For a sample configuration that includes a brief introduction to the PIX/ASA Active/Standby Failover, refer to PIX/ASA: Active/Standby Failover Configuration Example.
For a sample configuration that includes a brief introduction to the PIX/ASA Active/Active Failover, refer to PIX/ASA : Active/Active Failover Configuration Example.
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
Components Used
The information in this document is based on these software and hardware versions:
-
Cisco PIX 515, 515E, 525, and 535 Security Appliances with 7.x and later version
The information in this document was created from the devices in a specific lab environment.
Related Products
You can also use this configuration with Cisco ASA Security Appliance version 7.x and later.
Conventions
Refer to Cisco Technical Tips Conventions for more information on document conventions.
Procedure For Upgrading License
The following steps are used to upgrade the license in failover pairs
New Activation Key
By default, the license on the PIX will be 'Restricted'(R). A new activation key is requiered inorder to upgrade from a 'Restricted' software bundle to a bundle which supports additional features such as more number of connections, Failover, IPSec or additional interfaces. Also, a new activation key is sometimes necessary after a Flash upgrade on a PIX
.To request an activation key, send an email to licensing@cisco.com providing the serial number of PIX (or if you are upgrading the flash, provide the serial number of Flash Card) and the output of the show version command. Go to the Cisco ASA 3DES/AES License Registration (registered customers only) page to request a AES/3DES activation key. .
The following sample "show version" command shows the serial number and the activation key for the security appliance.
pix# show version Cisco PIX Security Appliance Software Version 7.1(1) Device Manager Version 5.1(1) Compiled on Thu 19-Jan-06 15:02 by builders System image file is "flash:/pix711.bin" Config file at boot was "startup-config" pix up 7 days 20 hours Hardware: PIX-515E, 128 MB RAM, CPU Pentium II 433 MHz Flash E28F128J3 @ 0xfff00000, 16MB BIOS Flash AM29F400B @ 0xfffd8000, 32KB Encryption hardware device : VAC+ (Crypto5823 revision 0x1) 0: Ext: Ethernet0 : address is 000f.908f.2d45, irq 10 1: Ext: Ethernet1 : address is 000f.908f.2d46, irq 11 2: Ext: Ethernet2 : address is 0005.5d19.7ad0, irq 11 3: Ext: Ethernet3 : address is 0005.5d19.7ad1, irq 10 4: Ext: Ethernet4 : address is 0005.5d19.7ad2, irq 9 5: Ext: Ethernet5 : address is 0005.5d19.7ad3, irq 5 Licensed features for this platform: Maximum Physical Interfaces : 6 Maximum VLANs : 25 Inside Hosts : Unlimited Failover : Active/Active VPN-DES : Enabled VPN-3DES-AES : Enabled Cut-through Proxy : Enabled Guards : Enabled URL Filtering : Enabled Security Contexts : 2 GTP/GPRS : Disabled VPN Peers : Unlimited This platform has an Unrestricted (UR) license. Serial Number: 808150103 Running Activation Key: 0x8f5bdba6 0x0963cc7f 0xfeffd300 0x9b00f19d Configuration last modified by enable_15 at 01:42:55.492 UTC Wed May 31 2006
Upgrading License
Once you received the new activation key from Cisco, log into each pix and and enter the key manually in the config terminal mode.
The PIX Security appliance Version 7.0 and above supports two kinds of license keys.
-
Existing 4-tuple license key for PIX Version 6.3 or earlier
-
A new 5-tuple license key for PIX Security appliance Version 7.0 and above only
Syntax: activation-key [activation-key-four-tuple | activation-key-five-tuple]
Example:
pix(config)# activation-key 0xe02888da 0x4ba7bed6 0xf1c123ae 0xffd8624e
Assuming the primary unit is Active, follow these steps in order to have minimum downtime while upgrading the license.
-
Upgrade the license in primary and do a write mem to save the configuration.
-
Now shut down the primary (do not reboot). This will make secondary active. Do not remove any of the cables throughout the upgradation process.
-
Now since secondary is active, upgrade its license and do a write mem to save the configuration on secondary.
-
Now shut down the secondary and boot up the primary (this would be your network downtime until primary boots up completely).
-
Once primary is up and running, wait for three minutes and boot up the secondary and we are through with it
Note: If the primary unit is in Standby, reverse the following procedure. That is in the place of Primary PIX put Secondary PIX and in place of Secondary put Primary PIX
Verify the Key
You can verify the updated license by issung "show version" or "show activation-key" command in both primary and secondary units.
NetPro Discussion Forums - Featured Conversations
| NetPro Discussion Forums - Featured Conversations for Security |
| Security: Intrusion Detection [Systems] |
| Security: AAA |
| Security: General |
| Security: Firewalling |
Related Information
- Configuring Failover in PIX 7.x Security Appliance
- Technical Support & Documentation - Cisco Systems
| Updated: Aug 18, 2008 | Document ID: 70390 |