cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3855
Views
0
Helpful
9
Replies

ACE replacement. Plz help.

fariha zain
Level 1
Level 1

Hi Experts,

Please help me with the following information as I have to perform this tommorow:

a) I was looking for a detailed procedure to replace the ACE, in an active-active environment/Cluster Configuration ?

b) What parameters do I need to take from the ACE module before replace it with the new one?

c) I have the config backup can I load the same on the new module?

Any suggestion would be appriciated.

Regards

Fari

2 Accepted Solutions

Accepted Solutions

ajayku2
Cisco Employee
Cisco Employee
Steps to replace ACE hardware in a redudancy setup

(1) Issue “wr mem” on “currently ACTIVE ACE” and backup the configuration.

    Create a configuration “checkpoint” on “currently ACTIVE ACE” for EACH context.

(2) Backup (copy) config from each user context, including Admin context, from your currently in production ACE to a FTP server.

(3) Export your current “certs & keys” to a tftp/ ftp/ sftp server from the ACTIVE  ACE & then import them on “the new ACE” later.

(4) Power down the ACE module, to be replaced, from the switch CLI in  config mode (no power enable module ) and replace  it with the replacement module.

(5) Power up the new replacement module from switch CLI (power enable module ).

(6) Once the new module is on line, session into it from the switch.

(7) Configure Admin context with an IP interface VLAN configuration so that you have IP connectivity to the module.

(8) Make sure you upgrade the newly received replacement  ACE to exactly the same release of code as that of “currently ACTIVE  ACE” .

(9) Configure Admin context with rest of the configuration as per backed up config ( for this ACE) EXCEPT FT configuration.

Note: If you don’t have a config for this module  “backed” up. You would need to review Admin context configuration from  “ACTIVE ACE” and configure it accordingly. Please make sure you use  “peer IP address” information from currently ACTIVE ACE to configure  this ACE module.

(10)If you have “ssl-proxy” service configured in any user context,  please make sure you IMPORT all your “Certs & Keys” to this new ACE  module before configuring your FT configuration. You can import them  with option terminal (e.g. crypto import terminal)  otherwise you would have to configure each context with an IP interface  to be able to import certs/keys via tftp or ftp or sftp.

The ACE does not synchronize the SSL certificates and key pairs that  are present in the active context with the standby context of an FT  group. If the ACE performs configuration synchronization and does not  find the necessary certificates and keys in the standby context, config  sync fails and the standby context enters the STANDBY_COLD state. In  order to correct this problem, verify if all certs and keys are  installed on both ACE modules.


(11) Configure a FT VLAN interface & FT PEER on “new replacement ACE”.

Configure all FT groups BUT DO NOT “configure them “inservice”.      

Make sure you have IP connectivity OVER FT VLAN to “currently ACTIVE ACE”.

Make sure there is a TCP connection setup OVER FT VLAN (show conn should provide you that information).

(12) Please make sure “preemption” is NOT enabled for the FT group.  If enabled please do remove it and re-add after the module is  successfully replaced.

Example:

Example:

               ft group 1

                                    peer 1

                                    no preempt  <=====================

                                    peer priority 150

                                    associate-context test

(13)  Once you have IP connectivity over FT VLAN to “primary ACE”, now mark the FT GROUP “inservice”.

Example:

               ft group 1

                                    peer 1

                                    no preempt

                                    peer priority 150

                                    associate-context test

                          inservice <===============================

(14)   At this time I expect the “auto-sync” to “sync” configs between “currently ACTIVE ACE” & “new standby ACE”.

show ft group detail

show ft peer detail

These “show commands” should help you with verifying the state of FT configuration.

View solution in original post

Hi,

You just have to issue

"ft switchover all" on the standby ACE before making the replacement.

This will ensure that all the context are active on single ACE. Then you can start the procedure as stated above.

Hope that helps.

regards,

Ajay Kumar

View solution in original post

9 Replies 9

ajayku2
Cisco Employee
Cisco Employee
Steps to replace ACE hardware in a redudancy setup

(1) Issue “wr mem” on “currently ACTIVE ACE” and backup the configuration.

    Create a configuration “checkpoint” on “currently ACTIVE ACE” for EACH context.

(2) Backup (copy) config from each user context, including Admin context, from your currently in production ACE to a FTP server.

(3) Export your current “certs & keys” to a tftp/ ftp/ sftp server from the ACTIVE  ACE & then import them on “the new ACE” later.

(4) Power down the ACE module, to be replaced, from the switch CLI in  config mode (no power enable module ) and replace  it with the replacement module.

(5) Power up the new replacement module from switch CLI (power enable module ).

(6) Once the new module is on line, session into it from the switch.

(7) Configure Admin context with an IP interface VLAN configuration so that you have IP connectivity to the module.

(8) Make sure you upgrade the newly received replacement  ACE to exactly the same release of code as that of “currently ACTIVE  ACE” .

(9) Configure Admin context with rest of the configuration as per backed up config ( for this ACE) EXCEPT FT configuration.

Note: If you don’t have a config for this module  “backed” up. You would need to review Admin context configuration from  “ACTIVE ACE” and configure it accordingly. Please make sure you use  “peer IP address” information from currently ACTIVE ACE to configure  this ACE module.

(10)If you have “ssl-proxy” service configured in any user context,  please make sure you IMPORT all your “Certs & Keys” to this new ACE  module before configuring your FT configuration. You can import them  with option terminal (e.g. crypto import terminal)  otherwise you would have to configure each context with an IP interface  to be able to import certs/keys via tftp or ftp or sftp.

The ACE does not synchronize the SSL certificates and key pairs that  are present in the active context with the standby context of an FT  group. If the ACE performs configuration synchronization and does not  find the necessary certificates and keys in the standby context, config  sync fails and the standby context enters the STANDBY_COLD state. In  order to correct this problem, verify if all certs and keys are  installed on both ACE modules.


(11) Configure a FT VLAN interface & FT PEER on “new replacement ACE”.

Configure all FT groups BUT DO NOT “configure them “inservice”.      

Make sure you have IP connectivity OVER FT VLAN to “currently ACTIVE ACE”.

Make sure there is a TCP connection setup OVER FT VLAN (show conn should provide you that information).

(12) Please make sure “preemption” is NOT enabled for the FT group.  If enabled please do remove it and re-add after the module is  successfully replaced.

Example:

Example:

               ft group 1

                                    peer 1

                                    no preempt  <=====================

                                    peer priority 150

                                    associate-context test

(13)  Once you have IP connectivity over FT VLAN to “primary ACE”, now mark the FT GROUP “inservice”.

Example:

               ft group 1

                                    peer 1

                                    no preempt

                                    peer priority 150

                                    associate-context test

                          inservice <===============================

(14)   At this time I expect the “auto-sync” to “sync” configs between “currently ACTIVE ACE” & “new standby ACE”.

show ft group detail

show ft peer detail

These “show commands” should help you with verifying the state of FT configuration.

Hi Ajay,

Thanks for the reply this is what I was expecting. Is this the same procedure for the Active-Active configuration?

Regards

Fari

Hi,

You just have to issue

"ft switchover all" on the standby ACE before making the replacement.

This will ensure that all the context are active on single ACE. Then you can start the procedure as stated above.

Hope that helps.

regards,

Ajay Kumar

Thanks a ton Ajay for your valueable input on this.

You ROCK!!!!!!

Regards

Fari.

Hi Fari,

Glad to know that I was able to assist you.

with regards,

Ajay Kumar

hey ajay, instead of upgrading code and moving certs. Can't you simply move the old compact flash into the new ace and boot up?

Hello Bryan,

That may work but it is highly NOT recommended by CISCO TAC.

---------------------------

Jorge

thank you!

Sure

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: