Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
274
Views
0
Helpful
2
Replies

ASA 5510 -> 5515 upgrade

gregbeifuss
Level 1
Level 1

‎06-22-2017 06:12 AM - edited ‎03-12-2019 02:37 AM

Hi all,

I have an ASA 5510 that sits between our DMZ and our internal network. I've tried replacing it with a 5515 with disastrous results.

I'm working on replacing our organization's older ASAs with 5515s. I've replaced six 5510s and 5512s by saving the running configuration, fixing up the interface names, pasting the modified configuration to the new 5515 and powering them up. However, this last ASA is giving me fits. When I put the 5515 in place, access to some hosts is blocked, and these hosts are random. For example, Host A might not be available until the ASA is rebooted. Afterwards, it is, but other hosts are unreachable. Another reboot results in, again, different hosts being unreachable.

I thought that perhaps something was wrong with the 5515 I was using, so I grabbed my spare 5515 and used it. This resulted in the same type of symptoms. Configuring the 5515 from scratch, line by line to rule out cut/paste errors, didn't resolve the symptoms.

If I replaced the current 5510 with a different 5510, there were no problems - everything worked as expected.

Flushing the ARP cache (and verifying the routes) on our internal core switch had no impact. In fact, the ARP cache on the switch looked like it correctly updated with the new MAC.

Unfortunately, when this happened I didn't have a lot of time to document the exact behaviours or perform firewall/switch debug/diagnosis. I'm looking for assistance and suggestions about what exactly might be happening and how to resolve it. The next time I attempt to upgrade this, I can try to grab some logs (etc).

Thanks,

Greg 

Labels:
0 Helpful
2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-24-2017 06:26 AM

It's uncommon but there could be a hardware problem with the new ASA 5515 that's causing the problem. I haven't seen that myself; but have seen enough odd things to "never say never".

You can always open a proactive TAC case and schedule an engineer to be online with you when you make the next cutover attempt. They can run debugs and gather data in real time to help resolve the problem for you.

0 Helpful

patoberli
VIP Alumni
VIP Alumni

‎07-06-2017 01:51 AM

What software release is on the old and which one on the new?

Some upgrades (8.2 -> 8.4, 8.4 -> 9.0 for example) will cause a config migration and sometimes need manual adjustments (8.2 to anything newer requires you to redo the NAT configuration in most cases, for example).

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card