ACE replacement. Plz help.

Answered Question
Jun 22nd, 2012

Hi Experts,

Please help me with the following information as I have to perform this tommorow:

a) I was looking for a detailed procedure to replace the ACE, in an active-active environment/Cluster Configuration ?

b) What parameters do I need to take from the ACE module before replace it with the new one?

c) I have the config backup can I load the same on the new module?

Any suggestion would be appriciated.

Regards

Fari

I have this problem too.
0 votes
Correct Answer by ajayku2 about 1 year 10 months ago

Hi,

You just have to issue

"ft switchover all" on the standby ACE before making the replacement.

This will ensure that all the context are active on single ACE. Then you can start the procedure as stated above.

Hope that helps.

regards,

Ajay Kumar

Correct Answer by ajayku2 about 1 year 10 months ago
Steps to replace ACE hardware in a redudancy setup

(1) Issue “wr mem” on “currently ACTIVE ACE” and backup the configuration.

    Create a configuration “checkpoint” on “currently ACTIVE ACE” for EACH context.

(2) Backup (copy) config from each user context, including Admin context, from your currently in production ACE to a FTP server.

(3) Export your current “certs & keys” to a tftp/ ftp/ sftp server from the ACTIVE  ACE & then import them on “the new ACE” later.

(4) Power down the ACE module, to be replaced, from the switch CLI in  config mode (no power enable module ) and replace  it with the replacement module.

(5) Power up the new replacement module from switch CLI (power enable module ).

(6) Once the new module is on line, session into it from the switch.

(7) Configure Admin context with an IP interface VLAN configuration so that you have IP connectivity to the module.

(8) Make sure you upgrade the newly received replacement  ACE to exactly the same release of code as that of “currently ACTIVE  ACE” .

(9) Configure Admin context with rest of the configuration as per backed up config ( for this ACE) EXCEPT FT configuration.

Note: If you don’t have a config for this module  “backed” up. You would need to review Admin context configuration from  “ACTIVE ACE” and configure it accordingly. Please make sure you use  “peer IP address” information from currently ACTIVE ACE to configure  this ACE module.

(10)If you have “ssl-proxy” service configured in any user context,  please make sure you IMPORT all your “Certs & Keys” to this new ACE  module before configuring your FT configuration. You can import them  with option terminal (e.g. crypto import terminal)  otherwise you would have to configure each context with an IP interface  to be able to import certs/keys via tftp or ftp or sftp.

The ACE does not synchronize the SSL certificates and key pairs that  are present in the active context with the standby context of an FT  group. If the ACE performs configuration synchronization and does not  find the necessary certificates and keys in the standby context, config  sync fails and the standby context enters the STANDBY_COLD state. In  order to correct this problem, verify if all certs and keys are  installed on both ACE modules.


(11) Configure a FT VLAN interface & FT PEER on “new replacement ACE”.

Configure all FT groups BUT DO NOT “configure them “inservice”.      

Make sure you have IP connectivity OVER FT VLAN to “currently ACTIVE ACE”.

Make sure there is a TCP connection setup OVER FT VLAN (show conn should provide you that information).

(12) Please make sure “preemption” is NOT enabled for the FT group.  If enabled please do remove it and re-add after the module is  successfully replaced.

Example:

Example:

               ft group 1

                                    peer 1

                                    no preempt  <=====================

                                    peer priority 150

                                    associate-context test

(13)  Once you have IP connectivity over FT VLAN to “primary ACE”, now mark the FT GROUP “inservice”.

Example:

               ft group 1

                                    peer 1

                                    no preempt

                                    peer priority 150

                                    associate-context test

                          inservice <===============================

(14)   At this time I expect the “auto-sync” to “sync” configs between “currently ACTIVE ACE” & “new standby ACE”.

show ft group detail

show ft peer detail

These “show commands” should help you with verifying the state of FT configuration.

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (2 ratings)
Correct Answer
ajayku2 Fri, 06/22/2012 - 09:08
Steps to replace ACE hardware in a redudancy setup

(1) Issue “wr mem” on “currently ACTIVE ACE” and backup the configuration.

    Create a configuration “checkpoint” on “currently ACTIVE ACE” for EACH context.

(2) Backup (copy) config from each user context, including Admin context, from your currently in production ACE to a FTP server.

(3) Export your current “certs & keys” to a tftp/ ftp/ sftp server from the ACTIVE  ACE & then import them on “the new ACE” later.

(4) Power down the ACE module, to be replaced, from the switch CLI in  config mode (no power enable module ) and replace  it with the replacement module.

(5) Power up the new replacement module from switch CLI (power enable module ).

(6) Once the new module is on line, session into it from the switch.

(7) Configure Admin context with an IP interface VLAN configuration so that you have IP connectivity to the module.

(8) Make sure you upgrade the newly received replacement  ACE to exactly the same release of code as that of “currently ACTIVE  ACE” .

(9) Configure Admin context with rest of the configuration as per backed up config ( for this ACE) EXCEPT FT configuration.

Note: If you don’t have a config for this module  “backed” up. You would need to review Admin context configuration from  “ACTIVE ACE” and configure it accordingly. Please make sure you use  “peer IP address” information from currently ACTIVE ACE to configure  this ACE module.

(10)If you have “ssl-proxy” service configured in any user context,  please make sure you IMPORT all your “Certs & Keys” to this new ACE  module before configuring your FT configuration. You can import them  with option terminal (e.g. crypto import terminal)  otherwise you would have to configure each context with an IP interface  to be able to import certs/keys via tftp or ftp or sftp.

The ACE does not synchronize the SSL certificates and key pairs that  are present in the active context with the standby context of an FT  group. If the ACE performs configuration synchronization and does not  find the necessary certificates and keys in the standby context, config  sync fails and the standby context enters the STANDBY_COLD state. In  order to correct this problem, verify if all certs and keys are  installed on both ACE modules.


(11) Configure a FT VLAN interface & FT PEER on “new replacement ACE”.

Configure all FT groups BUT DO NOT “configure them “inservice”.      

Make sure you have IP connectivity OVER FT VLAN to “currently ACTIVE ACE”.

Make sure there is a TCP connection setup OVER FT VLAN (show conn should provide you that information).

(12) Please make sure “preemption” is NOT enabled for the FT group.  If enabled please do remove it and re-add after the module is  successfully replaced.

Example:

Example:

               ft group 1

                                    peer 1

                                    no preempt  <=====================

                                    peer priority 150

                                    associate-context test

(13)  Once you have IP connectivity over FT VLAN to “primary ACE”, now mark the FT GROUP “inservice”.

Example:

               ft group 1

                                    peer 1

                                    no preempt

                                    peer priority 150

                                    associate-context test

                          inservice <===============================

(14)   At this time I expect the “auto-sync” to “sync” configs between “currently ACTIVE ACE” & “new standby ACE”.

show ft group detail

show ft peer detail

These “show commands” should help you with verifying the state of FT configuration.

fazainusa Fri, 06/22/2012 - 09:10

Hi Ajay,

Thanks for the reply this is what I was expecting. Is this the same procedure for the Active-Active configuration?

Regards

Fari

Correct Answer
ajayku2 Fri, 06/22/2012 - 10:31

Hi,

You just have to issue

"ft switchover all" on the standby ACE before making the replacement.

This will ensure that all the context are active on single ACE. Then you can start the procedure as stated above.

Hope that helps.

regards,

Ajay Kumar

fazainusa Mon, 06/25/2012 - 00:35

Thanks a ton Ajay for your valueable input on this.

You ROCK!!!!!!

Regards

Fari.

ajayku2 Mon, 06/25/2012 - 00:46

Hi Fari,

Glad to know that I was able to assist you.

with regards,

Ajay Kumar

Thompso7540_2 Mon, 06/25/2012 - 12:22

hey ajay, instead of upgrading code and moving certs. Can't you simply move the old compact flash into the new ace and boot up?

jobejara Mon, 06/25/2012 - 15:19

Hello Bryan,

That may work but it is highly NOT recommended by CISCO TAC.

---------------------------

Jorge

Actions

Login or Register to take actions

This Discussion

Posted June 22, 2012 at 8:49 AM
Stats:
Replies:9 Avg. Rating:5
Views:857 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 1,551
2 369
3 333
4 228
5 212
Rank Username Points
5