If the configuration as you

louis0001 · ‎03-01-2016

Hi,

we have to move ISP and as such will gain a new block of 8 static ip's.

We have 2x 5510 in standby/failover state and we know the time that the connection will drop and change.

Obviously, we need to change the ip's on the ASA's so I was wondering what order you would do this in?

eg:

1. Disable standby on the active unit
2. Change ip's and routing on the active unit and change standby address to new ip?

This is the bit I'm unsure about now. How you do this on the standby unit?
Do you simply enable failover again on the active unit and the standby unit will pick up the ip addressing?

Marius Gunnerud · ‎03-02-2016

Not sure why you want to disable failover? Any changes made to the active ASA will be replicated to the standby ASA. So all you need is either console access or acces via the inside network to the inside interface. Then change the IP on the public interface (remember to include the standby address.) And then you are done.

This will automatically replicate to the standby ASA so you do not need to worry about that.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Joel · ‎03-03-2016

Agree with Marius.

Changing ISP is going to be a pain if your address space is PA and therefore you'll going to be assigned a new range. If you have a lot of NAT you will need to update along with any public DNS records.

The alternative approach and might be what you're planning. Is to take the current standby offline and reconfigure it for the new ISP. At this stage you have two ASAs that do not have a failover partner they are standalone units, even though can be configured for failover just no member standby exists. You could migrate all services in/out from the ASA attached to the old ISP to the new, obviously routing etc needs to be managed. Once the old ISP/ASA is migrated off, wr erase it's configuration and add to the other ASA as the secondary unit forming an active/standby configuration again.

Really it depends on how large your configuration is, can you afford any outage? Is it possible just to re-IP outside interface and update any NAT, DNS over a weekend? If minimal outage is preferred you might find the approach of breaking the current A/S setup and use the current standby unit and attach to the new ISP making it the active unit of a new A/S setup (with the standby currently missing) and slowly migrate services across.

A lot of planning will be required!!

Joel

louis0001 · ‎03-03-2016

Thanks for that. The config isn't that big with only about 10 static nats & associated rules and a couple of DMZ's.

I was concerned about what the ASA would do once the connection is lost eg flip to failover and vice versa etc?

Outage from the ISP will be about 5 minutes and then it's just bringing the ASA back online with the new addresses and rules. I'm allowed downtime for this although I'm stretching it past an hour or so for minimal connectivity eg access to internet etc.

So I'm best just keeping the ASA in active/failover and just update the interfaces (and standby interface) on the active ASA?

Joel · ‎03-03-2016

If the configuration as you say is reasonable, I would have a configuration file prepared before your change window to copy and paste with updated addresses, NAT & ACL etc. If you have public DNS records they will require changing as well.

Note* You will only need to update the IP addresses on the active unit as it will sync to the standby.

Good luck

Joel

Disable failover - moving ISP