Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
916
Views
0
Helpful
6
Replies

Context Migration from FWSM to ASA

Go to solution
prabhanjan_hb
Level 1
Level 1

‎09-25-2013 08:20 AM - edited ‎03-11-2019 07:43 PM

Hi there ,

     What would be best way to migrate a Context from FWSM to ASA (non SM)  with minimal down time & effort .

I am thinking of these steps :

1) Preconfigure  the new ASA with the same IP-Address as FWSM for the interfaces (keep the ASA subinterfaces in shut state ) , configure Access rules .

     ( Want to retain same ip for the interfaces , since there are many hosts behind the FWSM with this gateway IP configured )

2) Shut the context specific interfaces on FWSM & bring up the Context specific interfaces on the ASA.

   ( Also a query - If I introduce ASA into the Network with the same IP as of FWSM , though the interfaces would be in shut state , should i expect any IP Conflicts )

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to prabhanjan_hb

‎09-27-2013 08:28 AM

I'd suggest opening a TAC case for assistance. Let us know what you find out.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-25-2013 11:03 AM

That sounds like a good plan.

You should not see any IP conflicts as long as both the FWSM context interfaces and corresponding ASA subinterfaces are not up simultaneously.

You may need to flush arp caches on the hosts since I do not believe the ASA will send a gratuitous ARP announcing it owns the interface addresses once they are brought out of shutdown.

0 Helpful

Go to solution
prabhanjan_hb
Level 1
Level 1
In response to Marvin Rhoads

‎09-25-2013 11:15 PM

ok , gratuitous ARP behavior post migration could cause issues then , as we have around 300 - 400 virtual servers behind this ASA context , so flushing ARP on all these boxes may not be possible ; do we have any other recommendations , as our ASA5585X will be running on 9.0.1 code.

Thanks

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to prabhanjan_hb

‎09-25-2013 11:33 PM

Hi,

Well you probably have the option to configure the old FWSMs interface MAC address to the ASAs corresponding interface manually, this way there will be no change in the ARP from the perspective of the server/host.

I guess depending on if you have a single firewall or failover firewall the command is a bit different as you define either 1 or 2 MAC addresses.

I think this was the command to modify the MAC address

http://www.cisco.com/en/US/docs/security/asa/command-reference/m1.html#wp2111205

- Jouni

0 Helpful

Go to solution
prabhanjan_hb
Level 1
Level 1
In response to Jouni Forss

‎09-27-2013 07:06 AM

Thanks Jouni,  however we are planning to migrate some 20 contexts with 6 - 8 subinterfaces in each of them ; is their any other way to tweak this gratuitous ARP problem , without having to flush the ARP cache on hosts or replicating mac address from FWSM to ASA.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to prabhanjan_hb

‎09-27-2013 08:28 AM

I'd suggest opening a TAC case for assistance. Let us know what you find out.

0 Helpful

Go to solution
prabhanjan_hb
Level 1
Level 1
In response to Marvin Rhoads

‎09-27-2013 08:33 AM

ok thanks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card