06-22-2012 08:49 AM
Hi Experts,
Please help me with the following information as I have to perform this tommorow:
a) I was looking for a detailed procedure to replace the ACE, in an active-active environment/Cluster Configuration ?
b) What parameters do I need to take from the ACE module before replace it with the new one?
c) I have the config backup can I load the same on the new module?
Any suggestion would be appriciated.
Regards
Fari
Solved! Go to Solution.
06-22-2012 09:08 AM
(1) Issue “wr mem” on “currently ACTIVE ACE” and backup the configuration.
Create a configuration “checkpoint” on “currently ACTIVE ACE” for EACH context.
(2) Backup (copy) config from each user context, including Admin context, from your currently in production ACE to a FTP server.
(3) Export your current “certs & keys” to a tftp/ ftp/ sftp server from the ACTIVE ACE & then import them on “the new ACE” later.
(4) Power down the ACE module, to be replaced, from the switch CLI in config mode (no power enable module
(5) Power up the new replacement module from switch CLI (power enable module
(6) Once the new module is on line, session into it from the switch.
(7) Configure Admin context with an IP interface VLAN configuration so that you have IP connectivity to the module.
(8) Make sure you upgrade the newly received replacement ACE to exactly the same release of code as that of “currently ACTIVE ACE” .
(9) Configure Admin context with rest of the configuration as per backed up config ( for this ACE) EXCEPT FT configuration.
Note: If you don’t have a config for this module “backed” up. You would need to review Admin context configuration from “ACTIVE ACE” and configure it accordingly. Please make sure you use “peer IP address” information from currently ACTIVE ACE to configure this ACE module.
(10)If you have “ssl-proxy” service configured in any user context, please make sure you IMPORT all your “Certs & Keys” to this new ACE module before configuring your FT configuration. You can import them with option terminal (e.g. crypto import
The ACE does not synchronize the SSL certificates and key pairs that are present in the active context with the standby context of an FT group. If the ACE performs configuration synchronization and does not find the necessary certificates and keys in the standby context, config sync fails and the standby context enters the STANDBY_COLD state. In order to correct this problem, verify if all certs and keys are installed on both ACE modules.
(11) Configure a FT VLAN interface & FT PEER on “new replacement ACE”.
Configure all FT groups BUT DO NOT “configure them “inservice”.
Make sure you have IP connectivity OVER FT VLAN to “currently ACTIVE ACE”.
Make sure there is a TCP connection setup OVER FT VLAN (show conn should provide you that information).
(12) Please make sure “preemption” is NOT enabled for the FT group. If enabled please do remove it and re-add after the module is successfully replaced.
Example:
Example:
ft group 1
peer 1
no preempt <=====================
peer priority 150
associate-context test
(13) Once you have IP connectivity over FT VLAN to “primary ACE”, now mark the FT GROUP “inservice”.
Example:
ft group 1
peer 1
no preempt
peer priority 150
associate-context test
inservice <===============================
(14) At this time I expect the “auto-sync” to “sync” configs between “currently ACTIVE ACE” & “new standby ACE”.
show ft group detail
show ft peer detail
These “show commands” should help you with verifying the state of FT configuration.
06-22-2012 10:31 AM
Hi,
You just have to issue
"ft switchover all" on the standby ACE before making the replacement.
This will ensure that all the context are active on single ACE. Then you can start the procedure as stated above.
Hope that helps.
regards,
Ajay Kumar
06-22-2012 09:08 AM
(1) Issue “wr mem” on “currently ACTIVE ACE” and backup the configuration.
Create a configuration “checkpoint” on “currently ACTIVE ACE” for EACH context.
(2) Backup (copy) config from each user context, including Admin context, from your currently in production ACE to a FTP server.
(3) Export your current “certs & keys” to a tftp/ ftp/ sftp server from the ACTIVE ACE & then import them on “the new ACE” later.
(4) Power down the ACE module, to be replaced, from the switch CLI in config mode (no power enable module
(5) Power up the new replacement module from switch CLI (power enable module
(6) Once the new module is on line, session into it from the switch.
(7) Configure Admin context with an IP interface VLAN configuration so that you have IP connectivity to the module.
(8) Make sure you upgrade the newly received replacement ACE to exactly the same release of code as that of “currently ACTIVE ACE” .
(9) Configure Admin context with rest of the configuration as per backed up config ( for this ACE) EXCEPT FT configuration.
Note: If you don’t have a config for this module “backed” up. You would need to review Admin context configuration from “ACTIVE ACE” and configure it accordingly. Please make sure you use “peer IP address” information from currently ACTIVE ACE to configure this ACE module.
(10)If you have “ssl-proxy” service configured in any user context, please make sure you IMPORT all your “Certs & Keys” to this new ACE module before configuring your FT configuration. You can import them with option terminal (e.g. crypto import
The ACE does not synchronize the SSL certificates and key pairs that are present in the active context with the standby context of an FT group. If the ACE performs configuration synchronization and does not find the necessary certificates and keys in the standby context, config sync fails and the standby context enters the STANDBY_COLD state. In order to correct this problem, verify if all certs and keys are installed on both ACE modules.
(11) Configure a FT VLAN interface & FT PEER on “new replacement ACE”.
Configure all FT groups BUT DO NOT “configure them “inservice”.
Make sure you have IP connectivity OVER FT VLAN to “currently ACTIVE ACE”.
Make sure there is a TCP connection setup OVER FT VLAN (show conn should provide you that information).
(12) Please make sure “preemption” is NOT enabled for the FT group. If enabled please do remove it and re-add after the module is successfully replaced.
Example:
Example:
ft group 1
peer 1
no preempt <=====================
peer priority 150
associate-context test
(13) Once you have IP connectivity over FT VLAN to “primary ACE”, now mark the FT GROUP “inservice”.
Example:
ft group 1
peer 1
no preempt
peer priority 150
associate-context test
inservice <===============================
(14) At this time I expect the “auto-sync” to “sync” configs between “currently ACTIVE ACE” & “new standby ACE”.
show ft group detail
show ft peer detail
These “show commands” should help you with verifying the state of FT configuration.
06-22-2012 09:10 AM
Hi Ajay,
Thanks for the reply this is what I was expecting. Is this the same procedure for the Active-Active configuration?
Regards
Fari
06-22-2012 10:31 AM
Hi,
You just have to issue
"ft switchover all" on the standby ACE before making the replacement.
This will ensure that all the context are active on single ACE. Then you can start the procedure as stated above.
Hope that helps.
regards,
Ajay Kumar
06-25-2012 12:35 AM
Thanks a ton Ajay for your valueable input on this.
You ROCK!!!!!!
Regards
Fari.
06-25-2012 12:46 AM
Hi Fari,
Glad to know that I was able to assist you.
with regards,
Ajay Kumar
06-25-2012 12:22 PM
hey ajay, instead of upgrading code and moving certs. Can't you simply move the old compact flash into the new ace and boot up?
06-25-2012 03:19 PM
Hello Bryan,
That may work but it is highly NOT recommended by CISCO TAC.
---------------------------
Jorge
06-26-2012 12:52 PM
thank you!
06-26-2012 06:06 PM
Sure
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide