cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


210
Views
5
Helpful
2
Replies

ASA Cluster: Replace SSP modules

I have 2 ASA 5585-X SSP 40 cluster installed with Oldser generation IPS-SSP-40 modules. The IPS modules are used only for their 10 gig interface capability for the data path, without being used for any IPS functionality. The 10Gig Network Interface on the IPS modules are used in a single spanned etherchannel across the cluster. I am looking replace these IPS-SSP-40 modules with the NM-4-10GE ASA 5585-X network modules. Is there are non-disruptive way to achieve network modules changeover in the ASA cluster.

 

The way i have planned so far is as following :-

1. Disable health monitoring (service module and 10Gig interfaces) on the ASA cluster

2. Shut down IPS module on the ASA 1

              At this point ASA 1 will be taken out of the cluster. The traffic will shift to ASA 2, as the port channel will remain up.

3. Replace IPS module with NM-4-10GE ASA-1 and repatch.

              This is where, I am not sure. As the ASA-2 will still have the IPS module in it. So would the ASA-1 will be able to join the cluster when the NM4 card 10Gig interface come back online and join the port-channel.

 

If the ASA-1 is able to join the cluster at the above stage than its a simple process.

 

Else would require the guidance the of the ASA experts here to carry out the task.

 

Thanks in advance

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Hall of Fame Guru

Re: ASA Cluster: Replace SSP modules

With mismatched hardware, the ASA with  the new network module will not be able to rejoin the cluster (I assume you mean High Availability pair).

I think you should just schedule an outage and take them both offline and bring up properly wi the new NM in both units. Eventually you will have to reassign interfaces to one of the new ports which will definitely be an outage so why not just get it over with and be covered for the loss of service with a maintenance window?

View solution in original post

2 REPLIES 2
Highlighted
Hall of Fame Guru

Re: ASA Cluster: Replace SSP modules

With mismatched hardware, the ASA with  the new network module will not be able to rejoin the cluster (I assume you mean High Availability pair).

I think you should just schedule an outage and take them both offline and bring up properly wi the new NM in both units. Eventually you will have to reassign interfaces to one of the new ports which will definitely be an outage so why not just get it over with and be covered for the loss of service with a maintenance window?

View solution in original post

Re: ASA Cluster: Replace SSP modules

Thanks Marvin, yeah there would be a maintenance windows scheduled. I was just thinking if we can make it a non-disruptive change but seems there is no other way.

 

 

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here