Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Replacing Production ASA5520 firewalls with ASA5545x firewalls and minimizing downtime

Hi,

We intend to replace our existing ASA5520 firewalls (including IPS modules) with new ASA5545x firewalls including IPS licenses.  As these are production firewalls, I was wondering on the best strategy to replace the firewalls while minimising downtime.   The firewalls are running as Active/Standby pair and we have site-to-site IPSEC VPN connectivity with a number of sites and also provide AnyConnect mobile VPN connectivity and traditional IPSEC VPN client connectivity to our users. 

 

The ASA5520s are running  8.4(7)15 with AnyConnect Essentials and AnyConnect for Mobile licenses

The ASA5545x will be running 8.6.1(13) and I have obtained temporary AnyConnect Essentials and AnyConnect for Mobile licenses for them

I have also obtained temporary IPS licenses for the IPS software.

 

My thinking is:

 

Pre-Migration

  •  Use "more system:running-config" to obtain running config from existing ASA5520s (including pre-shared keys etc) and copy this config into the ASA5545x devices, keeping IP addresses etc the same (should be minimal differences between the versions and platforms so most of the config should go in fine?)
  • Do likewise for the IPS - i.e. copy config from existing IPS module to IPS on the new ASA5545x
  • Once all config applied and written, etc then rack up new firewalls just below existing ones - power on but do not attach cables


Migration

  • Power-off standby ASA5520 firewall completely (so, at this stage, running off just one active firewall)
  • Power off active ASA5520 completely

AT THIS STAGE, THERE WILL BE DOWNTIME AS NO FIREWALLS ACTIVE

  • Quickly replace cables from ASA5520 into new ASA5545x which is already powered on and "active"
  • Confirm all VPN connectivity resumes over new ASA5545x firewall (I'm assuming the external site-to-site VPN connections will simply re-establish once the new firewall is in place?  And remote VPN users should likewise be able to re-establish connectivity once new firewall is up (though they may have to re-authenticate?)
  • Swap cables from standby ASA5520 to standby ASA5545x and power on standby ASA5545x - it should "see" the other ASA5545x as active already so enter standby mode and sync config

 

Post Migration

  • Check all connectivity

 

Has anyone been through similar and can they tell me if there are any flaws or "gotchas" in this strategy?  I'm assuming the downtime will be pretty much limited to how long it takes me to swap the cables between the old and new firewalls as the VPN connectivity should just re-establish when the end-devices see the firewall active again at it's original IP address (albeit MAC address will have changed) or is there anything I need to worry about there?


Any advice or suggestions - particularly from any of you who have carried out similar - would be very much appreciated!

 

Thanks.

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Green

Do you have any spare ports

Do you have any spare ports on the switches that these ASA's connect to?  Something to consider doing is to cabel everthing ready and have the ports on the ASA in shutdown.  Then issue shut on the existing ASA ports and no shut on the new ASA ports (you can have a script of this and for the rollback if needed).  This will save you a little more on the downtime when doing the actual migration.

Also keep in mind that though most newer network equipment will update their ARP tables automatically, I have seen some that need their arp table cleared in order for connectivity to come up. So if connectivity doesn't come up right away, you may want to try clearing the arp table on the switchs/routers before doing a rollback.

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
6 REPLIES
VIP Green

Do you have any spare ports

Do you have any spare ports on the switches that these ASA's connect to?  Something to consider doing is to cabel everthing ready and have the ports on the ASA in shutdown.  Then issue shut on the existing ASA ports and no shut on the new ASA ports (you can have a script of this and for the rollback if needed).  This will save you a little more on the downtime when doing the actual migration.

Also keep in mind that though most newer network equipment will update their ARP tables automatically, I have seen some that need their arp table cleared in order for connectivity to come up. So if connectivity doesn't come up right away, you may want to try clearing the arp table on the switchs/routers before doing a rollback.

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
New Member

Hi Marius,that's a good idea

Hi Marius,

that's a good idea on cabling up ports and leaving them admin shut - probably is the best way to do it.  However, we have only a few spare ports and, unfortunately, we also have a bit of a spaghetti mess going on at our switches so I'm trying to avoid the need to run new cables and/or to have to interfere too much with existing cabling, hence I thought it easiest to just swap cables between old and new firewalls! (Not a good situation I know!)

I will bear that in mind about the ARP tables, thanks, but hoping we should be ok on that front with most of our kit.

VIP Green

As for config differences

As for config differences there shouldn't be any issues copying the config straight over.  Marvin makes a good point on the matter of licenses and certificates.  Hopefully you have a 3rd party CA or have created exportable local certificates for anyconnect.  If not it isn't really a big issue, just might be a pain getting all your users to import the new certificate.

Thank you for the rating.

@Marvin thanks for the endorsment

--

Please remember to rate and select a correct answer
New Member

No problem, thanks for the

No problem, thanks for the advice and assistance!

Hall of Fame Super Silver

In addition to Marius' good

In addition to Marius' good advice, I would add to consider the remote access VPN. You need to ensure you have the same AnyConnect images on your new units as well as any profiles (xml files).

Also, what is your certificate type? If it's third party you will need to host that on the new ASA. If it's self-signed you will need to generate one and the clients will have to install and/or accept it.

New Member

Hi Marvin,yes, imported the

Hi Marvin,

yes, imported the AnyConnect images and profiles already so think I'm good to go there and we have a 3rd party CA and I have imported the certificate into the new ASA so hopefully it's also good to go!  But definitely worth checking that off the list so thanks for that!

 

242
Views
8
Helpful
6
Replies
CreatePlease login to create content