Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1094
Views
13
Helpful
6
Replies

Replacing Production ASA5520 firewalls with ASA5545x firewalls and minimizing downtime

Go to solution
mitchen
Level 2
Level 2

‎06-11-2014 03:07 AM - edited ‎03-11-2019 09:19 PM

Hi,

We intend to replace our existing ASA5520 firewalls (including IPS modules) with new ASA5545x firewalls including IPS licenses.  As these are production firewalls, I was wondering on the best strategy to replace the firewalls while minimising downtime.   The firewalls are running as Active/Standby pair and we have site-to-site IPSEC VPN connectivity with a number of sites and also provide AnyConnect mobile VPN connectivity and traditional IPSEC VPN client connectivity to our users. 

 

The ASA5520s are running  8.4(7)15 with AnyConnect Essentials and AnyConnect for Mobile licenses

The ASA5545x will be running 8.6.1(13) and I have obtained temporary AnyConnect Essentials and AnyConnect for Mobile licenses for them

I have also obtained temporary IPS licenses for the IPS software.

 

My thinking is:

 

Pre-Migration

  •  Use "more system:running-config" to obtain running config from existing ASA5520s (including pre-shared keys etc) and copy this config into the ASA5545x devices, keeping IP addresses etc the same (should be minimal differences between the versions and platforms so most of the config should go in fine?)
  • Do likewise for the IPS - i.e. copy config from existing IPS module to IPS on the new ASA5545x
  • Once all config applied and written, etc then rack up new firewalls just below existing ones - power on but do not attach cables


Migration

  • Power-off standby ASA5520 firewall completely (so, at this stage, running off just one active firewall)
  • Power off active ASA5520 completely

AT THIS STAGE, THERE WILL BE DOWNTIME AS NO FIREWALLS ACTIVE

  • Quickly replace cables from ASA5520 into new ASA5545x which is already powered on and "active"
  • Confirm all VPN connectivity resumes over new ASA5545x firewall (I'm assuming the external site-to-site VPN connections will simply re-establish once the new firewall is in place?  And remote VPN users should likewise be able to re-establish connectivity once new firewall is up (though they may have to re-authenticate?)
  • Swap cables from standby ASA5520 to standby ASA5545x and power on standby ASA5545x - it should "see" the other ASA5545x as active already so enter standby mode and sync config

 

Post Migration

  • Check all connectivity

 

Has anyone been through similar and can they tell me if there are any flaws or "gotchas" in this strategy?  I'm assuming the downtime will be pretty much limited to how long it takes me to swap the cables between the old and new firewalls as the VPN connectivity should just re-establish when the end-devices see the firewall active again at it's original IP address (albeit MAC address will have changed) or is there anything I need to worry about there?


Any advice or suggestions - particularly from any of you who have carried out similar - would be very much appreciated!

 

Thanks.

 

 

 

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP

‎06-11-2014 07:26 AM

Do you have any spare ports on the switches that these ASA's connect to?  Something to consider doing is to cabel everthing ready and have the ports on the ASA in shutdown.  Then issue shut on the existing ASA ports and no shut on the new ASA ports (you can have a script of this and for the rollback if needed).  This will save you a little more on the downtime when doing the actual migration.

Also keep in mind that though most newer network equipment will update their ARP tables automatically, I have seen some that need their arp table cleared in order for connectivity to come up. So if connectivity doesn't come up right away, you may want to try clearing the arp table on the switchs/routers before doing a rollback.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

6 Replies 6

Go to solution
Marius Gunnerud
VIP
VIP

‎06-11-2014 07:26 AM

Do you have any spare ports on the switches that these ASA's connect to?  Something to consider doing is to cabel everthing ready and have the ports on the ASA in shutdown.  Then issue shut on the existing ASA ports and no shut on the new ASA ports (you can have a script of this and for the rollback if needed).  This will save you a little more on the downtime when doing the actual migration.

Also keep in mind that though most newer network equipment will update their ARP tables automatically, I have seen some that need their arp table cleared in order for connectivity to come up. So if connectivity doesn't come up right away, you may want to try clearing the arp table on the switchs/routers before doing a rollback.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Go to solution
mitchen
Level 2
Level 2
In response to Marius Gunnerud

‎06-11-2014 08:04 AM

Hi Marius,

that's a good idea on cabling up ports and leaving them admin shut - probably is the best way to do it.  However, we have only a few spare ports and, unfortunately, we also have a bit of a spaghetti mess going on at our switches so I'm trying to avoid the need to run new cables and/or to have to interfere too much with existing cabling, hence I thought it easiest to just swap cables between old and new firewalls! (Not a good situation I know!)

I will bear that in mind about the ARP tables, thanks, but hoping we should be ok on that front with most of our kit.

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to mitchen

‎06-11-2014 08:49 AM

As for config differences there shouldn't be any issues copying the config straight over.  Marvin makes a good point on the matter of licenses and certificates.  Hopefully you have a 3rd party CA or have created exportable local certificates for anyconnect.  If not it isn't really a big issue, just might be a pain getting all your users to import the new certificate.

Thank you for the rating.

@Marvin thanks for the endorsment

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
mitchen
Level 2
Level 2
In response to Marius Gunnerud

‎06-11-2014 09:25 AM

No problem, thanks for the advice and assistance!

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-11-2014 08:33 AM

In addition to Marius' good advice, I would add to consider the remote access VPN. You need to ensure you have the same AnyConnect images on your new units as well as any profiles (xml files).

Also, what is your certificate type? If it's third party you will need to host that on the new ASA. If it's self-signed you will need to generate one and the clients will have to install and/or accept it.

Go to solution
mitchen
Level 2
Level 2
In response to Marvin Rhoads

‎06-11-2014 09:23 AM

Hi Marvin,

yes, imported the AnyConnect images and profiles already so think I'm good to go there and we have a 3rd party CA and I have imported the certificate into the new ASA so hopefully it's also good to go!  But definitely worth checking that off the list so thanks for that!

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card