Replication failover PIX VPN (CEP) certificate

Hello

Had a pair of PIX 525 on 6.3 (4) version running in active/failover mode, I recently configured VPN authenticated by certificates, which involved the use of PRACTICE in order to get the certificate to the PIX. Certificates have been imported for the PIX from a snap-in with the software component CEP Protocol Windows CA server by following the instructions described here: http://www.ciscosystems.com/en/US/docs/security/pix/pix63/configuration/guide/sit2site.html#wp1007263 .

It all works very well, the configuration has been saved, certificates registered cases using "ca save all", everything works well except the certificates that have been imported have not been replicated for the PIX failover - the command 'Show the ca certificate', shows not all certs.

Private keys show 'sh ca mypubkey rsa' are the same on both devices.

I'm not able to find any documentation about how certificates must be replicated on the PIX failover, and it is not possible to write certificates again on the PIX failover using the commands they were initially imported by:

PIX - fw # conf t
WARNING *.
Configuration of replication is NOT performed the unit from standby to Active unit.
Configurations are no longer synchronized.

PIX - FW (config) auth ca ca
WARNING *.
Configuration of replication is NOT performed the unit from standby to Active unit.
Configurations are no longer synchronized.

Everyone knows a similar issue or how to get the PIX failover with the new ca certificates?

Kind regards

Sarunas

Hello Sarunas

PIX 6 indeed do not synchronize keys and certificates automatically.

However, you should be able to do this first, forcing a failover (i.e. secondary image make it active), then register (now active) high school with the certification authority.

HTH

Herbert

Tags: Cisco Security

Similar Questions

  • Simple PIX PIX VPN issues

    I'm trying to implement a simple PIX PIX VPN using the simple PIX - PIX VPN documentation for the sample config page. I have a lot of VPN tunnels with other very happy other PIX devices so it's quite annoying. Anyway, on the source PIX config is as follows:-

    access-list 101 permit ip 172.18.138.0 255.255.255.0 172.18.133.0 255.255.255.0

    access-list 101 permit ip 172.18.133.0 255.255.255.0 172.18.138.0 255.255.255.0

    NAT (phoenix_private) 0-access list 101

    Permitted connection ipsec sysopt

    No sysopt route dnat

    Crypto ipsec transform-set esp - esp-md5-hmac chevelle

    ntlink 1 ipsec-isakmp crypto map

    1 ipsec-isakmp crypto map TransAm

    correspondence address 1 card crypto transam 101

    card crypto transam 1 set peer 172.18.126.233

    card crypto transam 1 transform-set chevelle

    interface inside crypto map transam

    ISAKMP allows inside

    ISAKMP key * address 172.18.126.233 netmask 255.255.255.255

    ISAKMP identity address

    part of pre authentication ISAKMP policy 1

    of ISAKMP policy 1 encryption

    ISAKMP policy 1 md5 hash

    1 1 ISAKMP policy group

    ISAKMP policy 1 lifetime 1000

    and if I generate the traffic logs show this: -.

    9 August 18:40:15 10.60.6.247% PIX-3-305005: no translation not found for icmp src phoenix_private:172.18.138.111 dst domestic group: 172.18.133.51 (type 8, code 0)

    9 August 18:40:17 10.60.6.247% PIX-3-305005: no translation not found for icmp src phoenix_private:172.18.138.111 dst domestic group: 172.18.133.51 (type 8, code 0)

    9 August 18:40:18 10.60.6.247% PIX-3-305005: no group of translation not found for udp src phoenix_private:172.18.138.111/3832 dst inside:172.18.133.51/53

    9 August 18:40:18 10.60.6.247% PIX-3-305005: no translation not found for icmp src phoenix_private:172.18.138.111 dst domestic group: 172.18.133.51 (type 8, code 0)

    9 August 18:40:19 10.60.6.247% PIX-3-305005: no group of translation not found for udp src phoenix_private:172.18.138.111/3832 dst inside:172.18.133.51/53

    No isakmp and ipsec debugging message appears, but you who wait that the PIX does not even link the traffic with the access list or a NAT.

    I do something obviously stupid, can someone tell me what it is, thank you.

    Jon.

    Hello

    1. you create a second access as list:

    outside_cryptomap ip 172.18.138.0 access list allow 255.255.255.0 172.18.133.0 255.255.255.0

    and

    2. instead of

    correspondence address 1 card crypto transam 101

    You must configure

    card crypto transam 1 match address outside_cryptomap

    the problem is that you configure an ACL for nat and crypto - that does not work

    concerning

    Alex

  • With PAT on Cisco PIX VPN client

    Dear all,

    I have a PIX 515 to the main site with the IPSec security is enabled. Homepage user using 3.x VPN client connects to the PIX for VPN access. When user Home use real IP, I can ping to the local network of the main site. However, when the Home user using a router with PAT, the VPN can be established.

    Is there a setting I should put on PIX, VPN client or router?

    Thank you.

    Doug

    And if you still have problems, upgrade your pix, 6.3 and usage:

    ISAKMP nat-traversal

    But the first thing would be to check the IPSEC passthrough as Ade suggested. If the device is a linksys check the version of the firmware as well.

    Kind regards

  • On Pix VPN tunnel to the same subnet

    I have a customer who want to set up a the PIX VPN tunnel located on each site. For some reason, each side has the same subnet number, for example. 10.10.10.x/32. I'm sure we must run NAT, but is it possible.

    This can help

    http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a00800949f1.shtml

  • Failover with VPN concentrator

    Hi all

    We have unique VPN concentrator which is the single point of failure, so need your help to mitigate the same

    The topology diagram is attached

    Site A and Site B.

    Site B has internet gateways where we have existing VPN.

    The intention to introduce the site A & Concentrator VPN gateway VPN is set as well

    Our design is provided for in

    Connectivity between the two locations & other office is managed by BGP.

    Default route is pointing at the Internet gateway.

    Info by the Internet Segment.

    ·         We have the SP independent IP range

    ·         Switching between 2 SP to site B is obtained by using the iBGP and eBGP

    Challenge: VPN concentrator single Point of failure (the Cisco VPN concentrator 3000)

    Here are the design goals

    ·         Implement internet gateways to the Site - A which will have redundancy level of Portal Site

    ·         Place on the VPN concentrator, which will act as a switch between site

    o If the concentrator vpn site B is out of box A VPN site must support all traffic.

    Concentrator VPN active o replica of Site B

    Is it possible to achieve the objectives of design.

    Please help about the VPN concentrator... How I can set VPN concentrator in failover mode... Just as we do firewalls?

    Help, please

    Hi yogesh,

    Concentrator VPN supports failover through VRRP. Please find the following for your reference document:

    http://www.Cisco.com/en/us/products/HW/vpndevc/ps2284/products_tech_note09186a0080094490.shtml

    As for the addition of failover for VPN concentrator, you happen to have a spare hub VPN to run VRRP?

    Don't know if you know, however, VPN concentrator comes end of life and the last delivery date was November 2007, as a result, you will not be able to buy VPN concentrator more.

    Here's the EOL notificatin for your reference:

    http://www.Cisco.com/en/us/prod/collateral/vpndevc/ps5743/ps5749/ps2284/prod_end-of-life_notice0900aecd805cd5a0.html

  • PIX VPN failover to different data centers

    Hello

    I got 90 sites with PIX 501 6.4 (4) that connect to a centralized with pre-shared key and ip data center site.

    We seek to set up another site and provide a VPN failover service.

    Disaster, we would like the 501 to start to use the new Concentrator VPN sites.

    I had a glance on the configuration guide and it doesn't look like we could use DNS for the exchange of traffic.

    Is there some I could get the 501 to use the second VPN Service if the primary data center is taken out.

    Concerning

    John

    It will work. It will use the second pair if the first is not available. I think this is mentioned in the guide configuration somewhere, but I'll have to look. Please rate if this can help.

    card crypto newmap 10 set peer 1.1.1.1

    map newmap 10 peer set 2.2.2.2 crypto

    ISAKMP key * address 1.1.1.1 netmask 255.255.255.255

    ISAKMP key * address 2.2.2.2 netmask 255.255.255.255

  • PIX PIX VPN - error log

    I created a VPN between our PIX and PIX customers but receives the following error message when I try to activate tunnnel. I checked the ACL on both ends. Any ideas?

    ISADB: Reaper checking HIS 0x80da9618, id_conn = 0IPSEC (sa_initiate): ACL = deny;

    No its created

    IPSec (sa_initiate): ACL = deny; No its created

    IPSec (sa_initiate): ACL = deny; No its created

    IPSec (sa_initiate): ACL = deny; No its created

    I've seen a few times. Usually remove the interface of the card encryption and re - apply solves it, sometimes it is necessary to remove the card encryption and the "enable isakmp outside" and put them both back in.

    This message is also sometimes to do with something wrong in the configuration, in order to double-check your ACL and your transformation games, etc.

  • Add PIX VPN to the already established network of MPLS

    I have a client who operates the site three on a MPLS cloud. Now they want to add more security between these different places. A place internet offers to the United Nations. However, all sites can communicate securely with each other.

    Each location has its own 10... subnet.

    They believe as a PIX at every place on every 10. / subnet and VPN tunnels between each PIX, it's what it takes.

    Is there a third party place connections between these PIX on their MPLS VPN cloud?

    Thanks cowtan. Please mark as resolved post, which might be useful for others. response rate (s) If you found useful responses...

  • ping for the pix vpn problem

    Hello

    I got a pix 501 (6.3 - 4) on a local network and try to use Cisco VPN Client (4.0.2-D) on a remote pc.

    I can open a vpn session.

    I can't ping from the remote pc to the LAN

    I can ping from any station on the LAN to the remote pc

    After that I did a ping of a station on the LAN to the remote pc, I ping the remote computer to the local network.

    I am so newb, trying for 2 days changing ACLs, no way.

    I must say that I am in dynamic ip wan on the local network and the remote pc.

    Any idea about this problem?

    Any help is welcome.

    Here is the configuration of my pix:

    6.3 (4) version PIX

    interface ethernet0 10baset

    interface ethernet1 100full

    ethernet0 nameif outside security0

    nameif ethernet1 inside the security100

    activate the password * encrypted

    passwd * encrypted

    pixfirewall hostname

    domain ciscopix.com

    clock timezone THATS 1

    clock to summer time CEDT recurring last Sun Mar 02:00 last Sun Oct 03:00

    fixup protocol dns-length maximum 512

    fixup protocol ftp 21

    correction... /...

    fixup protocol tftp 69

    names of

    name 192.168.42.0 Dmi

    inside_access_in ip access list allow a whole

    inside_outbound_nat0_acl ip access list allow any 192.168.229.0 255.255.255.0

    outside_cryptomap_dyn_20 ip access list Dmi 255.255.255.0 allow 192.168.229.32 255.255.255.224

    access-list outside_cryptomap_dyn_20 allow icmp a whole

    pager lines 24

    opening of session

    logging trap information

    Outside 1500 MTU

    Within 1500 MTU

    IP address outside the 209.x.x.x.255.255.224

    IP address inside 192.168.42.40 255.255.255.0

    alarm action IP verification of information

    alarm action attack IP audit

    IP local pool dmivpndhcp 192.168.229.1 - 192.168.229.254

    location of PDM 192.168.229.1 255.255.255.255 outside

    209.165.x.x.x.255.255 PDM location inside

    209.x.x.x.255.255.255 PDM location outdoors

    PDM logging 100 information

    history of PDM activate

    ARP timeout 14400

    Global 1 interface (outside)

    NAT (inside) 0-list of access inside_outbound_nat0_acl

    NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

    Route outside 0.0.0.0 0.0.0.0 209.165.200.225 1

    Timeout xlate 0:05:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

    H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

    Timeout, uauth 0:05:00 absolute

    GANYMEDE + Protocol Ganymede + AAA-server

    AAA-server GANYMEDE + 3 max-failed-attempts

    AAA-server GANYMEDE + deadtime 10

    RADIUS Protocol RADIUS AAA server

    AAA-server RADIUS 3 max-failed-attempts

    AAA-RADIUS deadtime 10 Server

    AAA-server local LOCAL Protocol

    Enable http server

    Dmi 255.255.255.0 inside http

    No snmp server location

    No snmp Server contact

    SNMP-Server Community public

    No trap to activate snmp Server

    TFTP server inside the 192.168.42.100.

    enable floodguard

    Permitted connection ipsec sysopt

    AUTH-prompt quick pass

    AUTH-guest accept good

    AUTH-prompt bad rejection

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA

    Dynamic crypto map dynmap 20 match address outside_cryptomap_dyn_20

    map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

    outside_map interface card crypto outside

    ISAKMP allows outside

    ISAKMP identity address

    part of pre authentication ISAKMP policy 20

    ISAKMP policy 20 3des encryption

    ISAKMP policy 20 chopping sha

    20 2 ISAKMP policy group

    ISAKMP duration strategy of life 20 86400

    vpngroup address dmivpndhcp pool dmivpn

    vpngroup dns 192.168.42.20 Server dmivpn

    vpngroup dmivpn wins server - 192.168.42.20

    vpngroup dmivpn by default-field defi.local

    vpngroup idle 1800 dmivpn-time

    vpngroup password dmivpn *.

    Telnet timeout 5

    SSH timeout 5

    Console timeout 0

    VPDN username vpnuser password *.

    VPDN allow outside

    VPDN allow inside

    dhcpd address 192.168.42.41 - 192.168.42.72 inside

    dhcpd lease 3600

    dhcpd ping_timeout 750

    Terminal width 80

    Cryptochecksum: *.

    Noelle,

    Add the command: (in config mode): isakmp nat-traversal

    Let me know if it helps.

    Jay

  • Simple failover PIX LAN question

    Is - this (PIX 6.3) FO license that is sufficient for LAN-based failover to secondary unit or to be unrestricted? I can not find the exact answer on the Cisco Web.

    Marko

    Yes, Marko, FO license is sufficient for the minor unit. Primary should be allowed without restriction.

    Kind regards

    GE.

  • PIX VPN accounts

    Hello

    Is it possible to get the PIX to do accounting for VPN connections. I currently have it configured for authentication via radius, but once VPN authenticates it, nothing is sent by the pix via the port of RADIUS-acct (1813) to indicate the success or failure etc. I know that you can count other services such as ssh/telnet/http connections FOR the pix, itself or through. I tried "rigging" by the accounting of all connections to udp/4500, but that doesn't seem to work. It doesn't seem to be a command to activate vpn accounting, at least not that I could find. If anyone has any ideas it would be appreciated. I am running a PIX 515e w/6.3 and using Freeradius on Linux.

    Thank you.

    -John

    John,

    Unfortunately, what you're trying to collect is not possible at the moment. Thank you

    Renault

  • PIX vpn public dmz

    Hello

    I d wishes to establish a vpn to a pix firewall 515 and pos version

    7.0 (5) with a public dmz and nat translation.

    inside: 10.5.10.0/24

    outdoors: 1.1.1.1/27 (Beach)

    DMZ: 2.2.2.2/27 (Beach)

    distance inside the network:192.168.20.0/24

    My area of encryption should be: 2.2.2.3/32--192.168.20.0/24

    announcement I have a nat rule, which is:

    NAT (inside the dmz) 2.2.2.3 10.5.10.28 netmask 255.255.255.255

    So basically I want to translate the connections coming from 2.2.2.3 to

    10.5.10.28

    the vpn is configured correctly and set up both sides, but the nat rule

    with the vpn doesn't work.

    Built of incoming TCP connections to outside:192.168.20.82/34237 4619

    (192.168.20.82/34237) at dmz:2.2.2.3/22 (2.2.2.3/22)

    but I can t see any traffic on the 10.5.10.28 Server, I see instead:

    Built of incoming TCP connections to outside:192.168.20.82/34237 4619

    ((192.168.20.82/34237) at dmz:10.5.10.28/22(10.5.10.28/22)

    any help would be great!

    Kind regards

    dural

    Dural salvation

    Could you specify just the line

    NAT (inside the dmz) 2.2.2.3 10.5.10.28 netmask 255.255.255.255

    should we read

    2.2.2.3 static (inside the dmz) 10.5.10.28 netmask 255.255.255.255

    Also are you terminating the VPN on the external interface of your firewall is to say what is the IP address of the peer to your end.

    You might not try

    static (inside, outside) 2.2.2.2 10.5.10.28 netmask 255.255.255.255

    * Edit - I meant

    static (inside, outside) 2.2.2.3 10.5.10.28 netmask 255.255.255.255 *.

    You need not actually traffic to DMZ, you?

    If not do you have IP addresses available in the public system on your external interface?

    HTH

    Jon

  • Site to Site PIX VPN problems

    Hi, I currently have a site to site vpn upward and running and it works fine. I try to put the other two online and just cannot make them work. I used the same configuration of one operation but I cannot get the next tunnel. I saw several errors when debugging isakmp and ipsec and they are at the end of my configs. Anyone have any ideas? Thank you

    Main site - a vpn clients connecting too it and pt to pt vpn to 3 endpoints

    Cisco PIX Firewall Version 6.3 (3)

    * Main Site Config *.

    client_vpn 10.10.0.0 ip access list allow 255.255.0.0 192.168.0.0 255.255.255.0

    VPN_to_Site2 10.10.0.0 ip access list allow 255.255.0.0 192.168.0.0 255.255.255.0

    NAT (inside) 0-list of access client_vpn

    Permitted connection ipsec sysopt

    Crypto ipsec transform-set esp-3des esp-md5-hmac fws_encry_set

    outside_map 60 ipsec-isakmp crypto map

    address for correspondence card crypto outside_map 60 VPN_to_Site2

    crypto outside_map 60 peer 64.X.X.19 card game

    card crypto outside_map 60 transform-set fws_encry_set

    outside_map interface card crypto outside

    ISAKMP allows outside

    ISAKMP key * address 64.X.X.19 netmask 255.255.255.255 No.-xauth-no-config-mode

    ISAKMP identity address

    ISAKMP nat-traversal 20

    part of pre authentication ISAKMP policy 10

    ISAKMP policy 10 3des encryption

    ISAKMP policy 10 md5 hash

    10 2 ISAKMP policy group

    ISAKMP life duration strategy 10 86400

    Site 2 config

    * only because the pt to pt does not work I have it set up to allow vpn clients to cross to connect to the main site.

    Cisco PIX Firewall Version 6.3 (5) *.

    permit access ip 192.168.0.0 list VPN_to_Main 255.255.255.0 10.10.0.0 255.255.0.0

    NAT (inside) 0-list of access VPN_to_Main

    Permitted connection ipsec sysopt

    Crypto ipsec transform-set esp-3des esp-md5-hmac fws_encry_set

    outside_map 10 ipsec-isakmp crypto map

    outside_map card crypto 10 corresponds to the address VPN_to_Main

    crypto outside_map 10 peer 207.X.X.13 card game

    card crypto outside_map 10 transform-set fws_encry_set

    outside_map interface card crypto outside

    ISAKMP allows outside

    ISAKMP key * address 207.X.X.13 netmask 255.255.255.255 No.-xauth-no-config-mode

    ISAKMP identity address

    ISAKMP nat-traversal 20

    part of pre authentication ISAKMP policy 10

    ISAKMP policy 10 3des encryption

    ISAKMP policy 10 md5 hash

    10 2 ISAKMP policy group

    ISAKMP life duration strategy 10 86400

    Errors

    PIX (config) # IPSEC (sa_initiate): ACL = deny; No its created

    authenticator is HMAC-MD5IPSEC (validate_proposal): invalid local address

    I have a link that works very well. I have copied the config from there, changed the ip info and it does not work. The only differences in the configs are no sysopt route dnat and it's on Version 6.2 (2)

    IPSec (sa_initiate): ACL = deny; No its created

    I think that you have configured a VPN tunnel without removing the cryptographic card of the external interface. The message above is the error we get in such situation.

    I suggest the following solution:

    -remove the external interface (the two pix) cryptographic card

    -Cree claire isa his and trendy clear ipsec his (the two pix)

    -Reapply the card encryption on external interfaces.

    If this doesn't solve the problem, restart the equipment.

    Kind regards

    Ajit

  • (Maybe stupid) Question about ASDM configured PIX PIX VPN

    I have two PIX515 running v7.2 (1) and ASDM 5.2 (1).

    If I use the VPN Wizard of the ASDM to configure a site to site VPN, this process takes care of the need to create split tunnel parameters, so that the outgoing traffic non - VPN inside each PIX is managed properly?

    Hello

    By default, all client VPN traffic is encrypted and sent to the VPN server, Split tunneling is used for client vpn remote to exempt a particular traffic to be encrypted and tunnel to the VPN server so that the traffic will be sent in parallel to the internet or local.

    During the configuration of site to site intuitively that when the configuration of the remote networks on both sides that communicate together by the IPSec tunnel and all other traffic is routed to their destinations without encryption.

  • VPN with certificates

    Hello

    I want to configure a VPN site-to site with digital certificates.

    How can I install a CA on the ASA 5520? The SAA must use the certificate from the local CA and also use the public certificate of the VPN server on the other side of the tunnel.

    The SAA is 8.0 (3) IOS installed.

    Thanks for your help.

    I think the ASA may have multiple trustpoints at the same time, you can see the configuration example on how to load a cert from a Microsoft CA:

    http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a008073b12b.shtml

    For other commercial suppliers, you will find instructions on the respective Web sites of ther

    Some other examples:

    http://www.Cisco.com/warp/public/471/VeriSign-install-ASA.PDF

    http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00808a61cd.shtml

    Concerning

    Anisah

Maybe you are looking for