https://community.cisco.com/t5/network-security/fips-enable-asa-5515-port-channel-break/m-p/3342738#M968043 <P>Current Setup: ASA 5515 - Active/Standby pair</P> <P>&nbsp;</P> <P>Situation: Need to make currently running ASA 5515 FIPS complaint - cisco support said at least one port needs to be single port&nbsp;by itself before "fips enable" is implemented and not in port-channel.&nbsp;</P> <P>&nbsp;</P> <P>We are thinking to break port channel interface that has outside and management sub-interfaces to it and assign these two sub-interfaces to single gig&nbsp; interface.&nbsp;</P> <P>&nbsp;</P> <P>Question: would we lose any config related to outside and management interface?&nbsp;</P> <P>Question: what is the best way to approach this re-config of the ASA? Example: break port channel or remove the single interface from port channel and configure that?&nbsp;</P> <P>Question: do you have any experience with FIPS upgrade on currently working devices?&nbsp;</P> <P>&nbsp;</P> Fri, 21 Feb 2020 15:28:31 GMT aamsq11 2020-02-21T15:28:31Z https://community.cisco.com/t5/network-security/fips-enable-asa-5515-port-channel-break/m-p/3342738#M968043 <P>Current Setup: ASA 5515 - Active/Standby pair</P> <P>&nbsp;</P> <P>Situation: Need to make currently running ASA 5515 FIPS complaint - cisco support said at least one port needs to be single port&nbsp;by itself before "fips enable" is implemented and not in port-channel.&nbsp;</P> <P>&nbsp;</P> <P>We are thinking to break port channel interface that has outside and management sub-interfaces to it and assign these two sub-interfaces to single gig&nbsp; interface.&nbsp;</P> <P>&nbsp;</P> <P>Question: would we lose any config related to outside and management interface?&nbsp;</P> <P>Question: what is the best way to approach this re-config of the ASA? Example: break port channel or remove the single interface from port channel and configure that?&nbsp;</P> <P>Question: do you have any experience with FIPS upgrade on currently working devices?&nbsp;</P> <P>&nbsp;</P> Fri, 21 Feb 2020 15:28:31 GMT https://community.cisco.com/t5/network-security/fips-enable-asa-5515-port-channel-break/m-p/3342738#M968043 aamsq11 2020-02-21T15:28:31Z https://community.cisco.com/t5/network-security/fips-enable-asa-5515-port-channel-break/m-p/3343087#M968044 <P>Anytime you need to reassign an interface you have to use "no nameif ___". that command will remove any associated ACLs and NAT commands that reference that nameif. As long as you know that in advance and take it into account you should be fine.</P> <P>&nbsp;</P> <P>I've not done a FIPS conversion but I know there are several other requirements for compliance - the hardware anti-tamper kit as well as some operational procedures - that are required for full compliance.</P> Tue, 06 Mar 2018 11:04:22 GMT https://community.cisco.com/t5/network-security/fips-enable-asa-5515-port-channel-break/m-p/3343087#M968044 Marvin Rhoads 2018-03-06T11:04:22Z https://community.cisco.com/t5/network-security/fips-enable-asa-5515-port-channel-break/m-p/3343347#M968088 <P>Thanks for the response Marvin. Since running the command "no nameif" will remove configuration then:</P> <P><SPAN>can we have a port-channel with only single interface being part of it? or will the port-channel break once we remove one interface out of the two it currently has?</SPAN></P> <P>&nbsp;</P> <P><SPAN>Also, will the "no nameif" command remove any configs related to the interface like (VPN tunnels, digital certs, etc...) or just ACL and NATs?</SPAN></P> Tue, 06 Mar 2018 16:10:15 GMT https://community.cisco.com/t5/network-security/fips-enable-asa-5515-port-channel-break/m-p/3343347#M968088 aamsq11 2018-03-06T16:10:15Z https://community.cisco.com/t5/network-security/fips-enable-asa-5515-port-channel-break/m-p/3343369#M968091 <P>You can have a portchannel with a single member.</P> <P>&nbsp;</P> <P>When you "no nameif" an interface, the lines anywhere the nameif appears in the rest of the configuration will be removed. I mentioned the most common ones but the ones you mentioned and a few others would also be affected.</P> Tue, 06 Mar 2018 16:32:22 GMT https://community.cisco.com/t5/network-security/fips-enable-asa-5515-port-channel-break/m-p/3343369#M968091 Marvin Rhoads 2018-03-06T16:32:22Z