Solved: firewall replacement question?

Keith Craycraft · ‎12-21-2010

currently working on replacing firewalls with ASA's.

Question is it better to replace the hub site in a group of l2l vpn tunnels or do the end sites and then replace the hub site?

Jennifer Halim · ‎12-21-2010

I would recommend that you replace your remote site first before replacing the hub.

Worst case scenario, if you replace the remote first, at least if it is not working, then you just have to concentrate to troubleshoot one remote L2L connection. If you replace the hub, and if it's not working, then you would need to troubleshoot all L2L tunnels to the remote.

I wouldn't think there would be much issue anyway replacing the firewall as IPSec standard is pretty mature by now, and most vendors IPSec are compatible with each other.

View solution in original post

Jennifer Halim · ‎12-21-2010

I would recommend that you replace your remote site first before replacing the hub.

Worst case scenario, if you replace the remote first, at least if it is not working, then you just have to concentrate to troubleshoot one remote L2L connection. If you replace the hub, and if it's not working, then you would need to troubleshoot all L2L tunnels to the remote.

I wouldn't think there would be much issue anyway replacing the firewall as IPSec standard is pretty mature by now, and most vendors IPSec are compatible with each other.