Warning Message "Failover message decryption failure&am

Hi peeps,

Wondering if anyone has come across this before, saves me a call to Cisco TAC. I have already checked that the keys are the same but it still keeps coming up on my console every so many minutes...


"WARNING: Failover message decryption failure. Please make sure both units have the same failover shared key and crypto license or system is not out of memory"

Here is the Show Version on both the Pix's

Active Pix
[code:1]
NAME# sh ver

Cisco PIX Security Appliance Software Version 7.0(4)

Compiled on Thu 13-Oct-05 21:43 by builders
System image file is "flash:/image.bin"
Config file at boot was "startup-config"

NAME up 349 days 2 hours

Hardware: PIX-525, 256 MB RAM, CPU Pentium III 600 MHz
Flash E28F128J3 @ 0xfff00000, 16MB
BIOS Flash E28F400B5T @ 0xfffd8000, 32KB

0: Ext: Ethernet0 : address is 0005.3202.df2c, irq 10
1: Ext: Ethernet1 : address is 0005.3202.df2d, irq 11
2: Ext: Ethernet2 : address is 00e0.b602.8239, irq 11
3: Ext: Ethernet3 : address is 00e0.b602.8238, irq 10
4: Ext: Ethernet4 : address is 00e0.b602.8237, irq 9
5: Ext: Ethernet5 : address is 00e0.b602.8236, irq 5

Licensed features for this platform:
Maximum Physical Interfaces : 10
Maximum VLANs : 100
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : Unlimited

This platform has an Unrestricted (UR) license.

Serial Number: **********
Running Activation Key: Some Numbers
Configuration last modified by enable_15 at 17:18:48.733 BST Thu Oct 19 2006
[/code:1]
Passive Pix
[code:1]
NAME# sh ver

Cisco PIX Security Appliance Software Version 7.0(4)

Compiled on Thu 13-Oct-05 21:43 by builders
System image file is "flash:/pix704.bin"
Config file at boot was "startup-config"

NAME up 329 days 2 hours

Hardware: PIX-525, 256 MB RAM, CPU Pentium III 600 MHz
Flash E28F128J3 @ 0xfff00000, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

Encryption hardware device : VAC (IRE2141 with 2048KB, HW:1.0, CGXROM:1.9, FW:6.5)
0: Ext: Ethernet0 : address is 000d.2897.1f9f, irq 10
1: Ext: Ethernet1 : address is 000d.2897.1fa0, irq 11
2: Ext: Ethernet2 : address is 00e0.b607.22b7, irq 11
3: Ext: Ethernet3 : address is 00e0.b607.22b6, irq 10
4: Ext: Ethernet4 : address is 00e0.b607.22b5, irq 9
5: Ext: Ethernet5 : address is 00e0.b607.22b4, irq 5

Licensed features for this platform:
Maximum Physical Interfaces : 10
Maximum VLANs : 100
Inside Hosts : Unlimited
Failover : Active/Standby
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : Unlimited

This platform has a Failover Only-Active/Standby (FO) license.

Serial Number: **********
Running Activation Key: Some Different Numbers
Configuration last modified by enable_1 at 17:25:09.482 BST Thu Oct 19 2006[/code:1]

Well, spoke to our support TAC on this and have been advised to upgrade the IOS as there have been loads of issues with this version of the PIX code.

Will give that a go in a few weeks and see how we go.

The update of the IOS didn't make any difference.

Finally got to the bottom of this and the issues was with the Shared Key for the FailOver. Not too sure why because i reset them once but since we are using the failover cable, you don't actually need the shared failover key since the traffic doesn't need to be encrypted since its not going over shared media. I removed the Shared Failover Key and all is now working ok.

Not sure if this is a slight issue with the code but eh, its working

Cheers

This is an issue with licensing of your 2nd pix.

An Active/Active setup requires an Unrestricted License on both Pixes.

Your 2nd pix is licensed for Failover Only- Active/Standby.

This is why the failover only pix is dirt cheap. It is useless without a fully licensed partner.

This is an issue with licensing of your 2nd pix.

An Active/Active setup requires an Unrestricted License on both Pixes.

Your 2nd pix is licensed for Failover Only- Active/Standby.

This is why the failover only pix is dirt cheap. It is useless without a fully licensed partner.

Yes thats what TAC thought however from the Show TEC you can see that the Active/Standby failover is working as it should be. The issues with the UR having Active/Active and the FO Active/Standby has only occured since the upgrade from Version 6.3 to Version 7 of the code. I may get the license sorted out however to save any further issues that might arise from it.

Cheers