06-22-2017 06:12 AM - edited 03-12-2019 02:37 AM
Hi all,
I have an ASA 5510 that sits between our DMZ and our internal network. I've tried replacing it with a 5515 with disastrous results.
I'm working on replacing our organization's older ASAs with 5515s. I've replaced six 5510s and 5512s by saving the running configuration, fixing up the interface names, pasting the modified configuration to the new 5515 and powering them up. However, this last ASA is giving me fits. When I put the 5515 in place, access to some hosts is blocked, and these hosts are random. For example, Host A might not be available until the ASA is rebooted. Afterwards, it is, but other hosts are unreachable. Another reboot results in, again, different hosts being unreachable.
I thought that perhaps something was wrong with the 5515 I was using, so I grabbed my spare 5515 and used it. This resulted in the same type of symptoms. Configuring the 5515 from scratch, line by line to rule out cut/paste errors, didn't resolve the symptoms.
If I replaced the current 5510 with a different 5510, there were no problems - everything worked as expected.
Flushing the ARP cache (and verifying the routes) on our internal core switch had no impact. In fact, the ARP cache on the switch looked like it correctly updated with the new MAC.
Unfortunately, when this happened I didn't have a lot of time to document the exact behaviours or perform firewall/switch debug/diagnosis. I'm looking for assistance and suggestions about what exactly might be happening and how to resolve it. The next time I attempt to upgrade this, I can try to grab some logs (etc).
Thanks,
Greg
06-24-2017 06:26 AM
It's uncommon but there could be a hardware problem with the new ASA 5515 that's causing the problem. I haven't seen that myself; but have seen enough odd things to "never say never".
You can always open a proactive TAC case and schedule an engineer to be online with you when you make the next cutover attempt. They can run debugs and gather data in real time to help resolve the problem for you.
07-06-2017 01:51 AM
What software release is on the old and which one on the new?
Some upgrades (8.2 -> 8.4, 8.4 -> 9.0 for example) will cause a config migration and sometimes need manual adjustments (8.2 to anything newer requires you to redo the NAT configuration in most cases, for example).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide