cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


287
Views
0
Helpful
3
Replies
Beginner

how to migrate PIX Failover(Active/Standby) Pair to ASA on Firepower 2110

I know how to migrate the PIX Failover(Active/Standby) Pair to ASA on Firepower2110  without interrupting traffic. 

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Master

Re: how to migrate PIX Failover(Active/Standby) Pair to ASA on Firepower 2110

That cannot be done without traffic interruption. The new ASA pair will have new MAC addresses for the interfaces and there would be no way to transfer connection state table from the old to the new.

You would need to rebuild the configuration on the new ASA pair and then, during a scheduled outage, disconnect the Pix pair and connect the ASA pair.

It would be a short but unavoidable service interruption.

3 REPLIES 3
Hall of Fame Master

Re: how to migrate PIX Failover(Active/Standby) Pair to ASA on Firepower 2110

That cannot be done without traffic interruption. The new ASA pair will have new MAC addresses for the interfaces and there would be no way to transfer connection state table from the old to the new.

You would need to rebuild the configuration on the new ASA pair and then, during a scheduled outage, disconnect the Pix pair and connect the ASA pair.

It would be a short but unavoidable service interruption.

Highlighted
Beginner

Re: how to migrate PIX Failover(Active/Standby) Pair to ASA on Firepower 2110

Thank you for reply.

Is it not possible to set the MAC of the PIX interface to ASA as a virtual Mac?

Hall of Fame Master

Re: how to migrate PIX Failover(Active/Standby) Pair to ASA on Firepower 2110

Yes technically you could specify the MAC address instead of using the burned in address.

You'd still have the issue of not having any information about state of connections and flows (and any NAT xlates) existing in the Pix on the new ASAs. So those would need to be all re-established.

Since you have to have an outage due to the second bit in any case, why incur unnecessary technical debt in fiddling with MAC address.