08-29-2017 09:45 AM - edited 02-21-2020 06:15 AM
Hi,
We are migrating from a 5510 platform to a 5516-x platform.
We tried the backup and restore feature of ASDM which to partially work.
This is because the interface names on 5516-X are GigabitEthernet while Ethernet on 5510. Hence a different cryptochecksum -> leading to ASDM restore feature not to work on the 5516-x side.
This is the easiest method for us since many VPN, ipsec and certificates config on those boxes.
Is there a method to change the running/startup config and recalculate the hash ? I tried md5 hashes between the head and the tail of the config, but the output hash is different.
Thanks
Solved! Go to Solution.
08-30-2017 09:17 AM
Thanks Marvin for the suggestion.
I exported all the certificates that the boxes use and for which there were a private key in PKCS12, while taking note of the associated trustpoint name. I then imported the certificates on the new boxes by creating new trustpoints with same name. The same for CA certs.
I also exported anyconnect images and imported as needed on the new boxes/
I then export the show run using the command you suggested ( "more system:running-config" ). Rearrenged some commands that were failing because some dependecy commands were to low on the config.
The config look similar right now.
Now it's time to test :)
Thanks again !
M S
08-29-2017 06:55 PM
As noted you cannot simply restore.
If you take the current running config by using the "more system:running-config" command you can extract everything including preshared keys. Certificates may need to be migrated over manually and/or possibly re-issued if they are bound to the current ASA's private key.
If you are working with a partner or Cisco SE you can potentially more easily migrate the configuration by asking them to use the internal Cisco migration tool.
08-30-2017 09:17 AM
Thanks Marvin for the suggestion.
I exported all the certificates that the boxes use and for which there were a private key in PKCS12, while taking note of the associated trustpoint name. I then imported the certificates on the new boxes by creating new trustpoints with same name. The same for CA certs.
I also exported anyconnect images and imported as needed on the new boxes/
I then export the show run using the command you suggested ( "more system:running-config" ). Rearrenged some commands that were failing because some dependecy commands were to low on the config.
The config look similar right now.
Now it's time to test :)
Thanks again !
M S
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide