Please help me with the following information as I have to perform this tommorow:
a) I was looking for a detailed procedure to replace the ACE, in an active-active environment/Cluster Configuration ?
b) What parameters do I need to take from the ACE module before replace it with the new one?
c) I have the config backup can I load the same on the new module?
Any suggestion would be appriciated.
You just have to issue
"ft switchover all" on the standby ACE before making the replacement.
This will ensure that all the context are active on single ACE. Then you can start the procedure as stated above.
Hope that helps.
(1) Issue “wr mem” on “currently ACTIVE ACE” and backup the configuration.
Create a configuration “checkpoint” on “currently ACTIVE ACE” for EACH context.
(2) Backup (copy) config from each user context, including Admin context, from your currently in production ACE to a FTP server.
(3) Export your current “certs & keys” to a tftp/ ftp/ sftp server from the ACTIVE ACE & then import them on “the new ACE” later.
(4) Power down the ACE module, to be replaced, from the switch CLI in config mode (no power enable module ) and replace it with the replacement module.
(5) Power up the new replacement module from switch CLI (power enable module ).
(6) Once the new module is on line, session into it from the switch.
(7) Configure Admin context with an IP interface VLAN configuration so that you have IP connectivity to the module.
(8) Make sure you upgrade the newly received replacement ACE to exactly the same release of code as that of “currently ACTIVE ACE” .
(9) Configure Admin context with rest of the configuration as per backed up config ( for this ACE) EXCEPT FT configuration.
Note: If you don’t have a config for this module “backed” up. You would need to review Admin context configuration from “ACTIVE ACE” and configure it accordingly. Please make sure you use “peer IP address” information from currently ACTIVE ACE to configure this ACE module.
(10)If you have “ssl-proxy” service configured in any user context, please make sure you IMPORT all your “Certs & Keys” to this new ACE module before configuring your FT configuration. You can import them with option terminal (e.g. crypto import terminal) otherwise you would have to configure each context with an IP interface to be able to import certs/keys via tftp or ftp or sftp.
The ACE does not synchronize the SSL certificates and key pairs that are present in the active context with the standby context of an FT group. If the ACE performs configuration synchronization and does not find the necessary certificates and keys in the standby context, config sync fails and the standby context enters the STANDBY_COLD state. In order to correct this problem, verify if all certs and keys are installed on both ACE modules.
(11) Configure a FT VLAN interface & FT PEER on “new replacement ACE”.
Configure all FT groups BUT DO NOT “configure them “inservice”.
Make sure you have IP connectivity OVER FT VLAN to “currently ACTIVE ACE”.
Make sure there is a TCP connection setup OVER FT VLAN (show conn should provide you that information).
(12) Please make sure “preemption” is NOT enabled for the FT group. If enabled please do remove it and re-add after the module is successfully replaced.
ft group 1
no preempt <=====================
peer priority 150
(13) Once you have IP connectivity over FT VLAN to “primary ACE”, now mark the FT GROUP “inservice”.
ft group 1
peer priority 150
(14) At this time I expect the “auto-sync” to “sync” configs between “currently ACTIVE ACE” & “new standby ACE”.
show ft group detail
show ft peer detail
These “show commands” should help you with verifying the state of FT configuration.