06-11-2014 03:07 AM - edited 03-11-2019 09:19 PM
Hi,
We intend to replace our existing ASA5520 firewalls (including IPS modules) with new ASA5545x firewalls including IPS licenses. As these are production firewalls, I was wondering on the best strategy to replace the firewalls while minimising downtime. The firewalls are running as Active/Standby pair and we have site-to-site IPSEC VPN connectivity with a number of sites and also provide AnyConnect mobile VPN connectivity and traditional IPSEC VPN client connectivity to our users.
The ASA5520s are running 8.4(7)15 with AnyConnect Essentials and AnyConnect for Mobile licenses
The ASA5545x will be running 8.6.1(13) and I have obtained temporary AnyConnect Essentials and AnyConnect for Mobile licenses for them
I have also obtained temporary IPS licenses for the IPS software.
My thinking is:
Pre-Migration
Migration
AT THIS STAGE, THERE WILL BE DOWNTIME AS NO FIREWALLS ACTIVE
Post Migration
Has anyone been through similar and can they tell me if there are any flaws or "gotchas" in this strategy? I'm assuming the downtime will be pretty much limited to how long it takes me to swap the cables between the old and new firewalls as the VPN connectivity should just re-establish when the end-devices see the firewall active again at it's original IP address (albeit MAC address will have changed) or is there anything I need to worry about there?
Any advice or suggestions - particularly from any of you who have carried out similar - would be very much appreciated!
Thanks.
Solved! Go to Solution.
06-11-2014 07:26 AM
Do you have any spare ports on the switches that these ASA's connect to? Something to consider doing is to cabel everthing ready and have the ports on the ASA in shutdown. Then issue shut on the existing ASA ports and no shut on the new ASA ports (you can have a script of this and for the rollback if needed). This will save you a little more on the downtime when doing the actual migration.
Also keep in mind that though most newer network equipment will update their ARP tables automatically, I have seen some that need their arp table cleared in order for connectivity to come up. So if connectivity doesn't come up right away, you may want to try clearing the arp table on the switchs/routers before doing a rollback.
--
Please remember to select a correct answer and rate helpful posts
06-11-2014 07:26 AM
Do you have any spare ports on the switches that these ASA's connect to? Something to consider doing is to cabel everthing ready and have the ports on the ASA in shutdown. Then issue shut on the existing ASA ports and no shut on the new ASA ports (you can have a script of this and for the rollback if needed). This will save you a little more on the downtime when doing the actual migration.
Also keep in mind that though most newer network equipment will update their ARP tables automatically, I have seen some that need their arp table cleared in order for connectivity to come up. So if connectivity doesn't come up right away, you may want to try clearing the arp table on the switchs/routers before doing a rollback.
--
Please remember to select a correct answer and rate helpful posts
06-11-2014 08:04 AM
Hi Marius,
that's a good idea on cabling up ports and leaving them admin shut - probably is the best way to do it. However, we have only a few spare ports and, unfortunately, we also have a bit of a spaghetti mess going on at our switches so I'm trying to avoid the need to run new cables and/or to have to interfere too much with existing cabling, hence I thought it easiest to just swap cables between old and new firewalls! (Not a good situation I know!)
I will bear that in mind about the ARP tables, thanks, but hoping we should be ok on that front with most of our kit.
06-11-2014 08:49 AM
As for config differences there shouldn't be any issues copying the config straight over. Marvin makes a good point on the matter of licenses and certificates. Hopefully you have a 3rd party CA or have created exportable local certificates for anyconnect. If not it isn't really a big issue, just might be a pain getting all your users to import the new certificate.
Thank you for the rating.
@Marvin thanks for the endorsment
06-11-2014 09:25 AM
No problem, thanks for the advice and assistance!
06-11-2014 08:33 AM
In addition to Marius' good advice, I would add to consider the remote access VPN. You need to ensure you have the same AnyConnect images on your new units as well as any profiles (xml files).
Also, what is your certificate type? If it's third party you will need to host that on the new ASA. If it's self-signed you will need to generate one and the clients will have to install and/or accept it.
06-11-2014 09:23 AM
Hi Marvin,
yes, imported the AnyConnect images and profiles already so think I'm good to go there and we have a 3rd party CA and I have imported the certificate into the new ASA so hopefully it's also good to go! But definitely worth checking that off the list so thanks for that!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide