Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
749
Views
0
Helpful
7
Replies

ASA Module

Go to solution
clark white
Level 2
Level 2

‎11-16-2014 12:07 PM - edited ‎03-11-2019 10:05 PM

Hello,

I am replacing FWSM with ASA module, I have used the migration tool and migrated the configuration my concern is I have very critical server which have a zero downtime.

I am planning to replace both at a same time but there will be a situation where in 1 switch it will be a FWSM and in one switch ASA module becz while uploading the configuration through TFTP in ASA module it will take time and then it will reboot the ASA module for effect of the migrated configuration after the ASA comes up both FWSM and ASA will be active because without confirming the connectivity with ASA I cannot shut FWSM,

 

Can anybody share his knowledge for migration of FWSM to ASA Module by keeping zero downtime.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to clark white

‎11-17-2014 01:33 PM

Yes - you would not want both active simultaneously. I would keep one in shutdown until the configuration was all imported and ready to handle traffic.

Then during cutover go into the currently active FWSM and shutdown the production interfaces. Move over to the new ASA SM and do a "no shutdown". You may need to clear the ARP caches on the upstream and downstream gateways and send one ping to the ASA SM interface IPs to get all hosts to more quickly re-establish a valid ARP cache entry. In a normal HA pair failover the former standby ASA will send a gratuitous ARP to handle this but in your case of a manual migration that would not be initiated.

That sort of thing is what I was alluding to when I mentioned minimizing the downtime.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-17-2014 06:41 AM

There is not a zero downtime migration path.

Unfortunately you will have unavoidable downtime when migrating to new hardware. You can minimize it but you will be, at a minimum, interrupting all active TCP connections and UDP flows.

0 Helpful

Go to solution
clark white
Level 2
Level 2
In response to Marvin Rhoads

‎11-17-2014 12:28 PM

Dear Marvin

Thanks for your precious time to reply this post,

when on one switch there will be ASA module active and on another FWSM active then in this situation there will be a duplicate IP in the network and that will cause the Network instability ???

any more thoughts that will affect the network.

thanks

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to clark white

‎11-17-2014 01:33 PM

Yes - you would not want both active simultaneously. I would keep one in shutdown until the configuration was all imported and ready to handle traffic.

Then during cutover go into the currently active FWSM and shutdown the production interfaces. Move over to the new ASA SM and do a "no shutdown". You may need to clear the ARP caches on the upstream and downstream gateways and send one ping to the ASA SM interface IPs to get all hosts to more quickly re-establish a valid ARP cache entry. In a normal HA pair failover the former standby ASA will send a gratuitous ARP to handle this but in your case of a manual migration that would not be initiated.

That sort of thing is what I was alluding to when I mentioned minimizing the downtime.

0 Helpful

Go to solution
clark white
Level 2
Level 2
In response to Marvin Rhoads

‎11-28-2014 08:16 AM

Thanks Marvin,

for the precious reply and giving your thought for my migration,

so my thoughts are below for migration pls correct if they are wrong.

  1. I have seperate chassis of 6500 i will install ASA module and prepare all configuration of FWSM.
  2. i will shutdown all the interface in ASA module before it goes to the production switch.
  3. I will failover to FWSM-Sec and will remove FWSM-PRI from production switch and install ASA module which will have no effect on network becz all vlan  interface are down.
  4. I will prepare a notepad with all vlan interfaces in shutdown state for FWSM and another notepad for ASA module with all vlan interface with no shutdown state.
  5. Two Network administrators one with console on FWSM and another on ASA module will copy paste the shutdown state interface on FWSM and no shutdown state on ASA module.
  6. I dont have any upstream gateways every vlan DG will ASA module so i will clear arp cache from servers
  7. I hope Ping will work without any issues

 

Is it the above plan will work like a stream for me with a 4 or 5 packets drops of ping.

thanks

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to clark white

‎11-29-2014 07:49 AM

That seems like a pretty good plan for the FWSM to ASA SM migration. If you have uncertainty, it would be a good proactive measure to open a TAC case in advance to review your procedure. You can even schedule an engineer to be on the call with you during the upgrade.

Note that when you initially install the ASA SM in a separate chassis, the supported method for migrating configuration is to do a network copy and let the ASA SM load and parse  the configuration.

0 Helpful

Go to solution
clark white
Level 2
Level 2
In response to Marvin Rhoads

‎11-29-2014 08:30 PM

Dear Marvin,

i appreciate your response.

"is to do a network copy and let the ASA SM load and parse  the configuration."

i have done through tftp copy and allowed the ASA-SM to load parse the configuration ,In the above post point 1 i mean to say a tftp copy and let ASA-SM to load and parse.

 

Also i saw  access-list missing after migrating.now can i will copy paste those missing one's in asa-sm will it be a bad effect on the configuration if i do copy paste.

 

thanks

 

 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to clark white

‎11-30-2014 06:28 AM

I'd not be able to tell you the effect of putting in an access list or entry without seeing the FWSM and ASA SM configurations.

Generally speaking though an access-list needs an associated access-group command to apply it to an interface.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card