03-27-2019 07:07 PM
I know how to migrate the PIX Failover(Active/Standby) Pair to ASA on Firepower2110 without interrupting traffic.
Solved! Go to Solution.
03-27-2019 08:11 PM
That cannot be done without traffic interruption. The new ASA pair will have new MAC addresses for the interfaces and there would be no way to transfer connection state table from the old to the new.
You would need to rebuild the configuration on the new ASA pair and then, during a scheduled outage, disconnect the Pix pair and connect the ASA pair.
It would be a short but unavoidable service interruption.
03-27-2019 08:11 PM
That cannot be done without traffic interruption. The new ASA pair will have new MAC addresses for the interfaces and there would be no way to transfer connection state table from the old to the new.
You would need to rebuild the configuration on the new ASA pair and then, during a scheduled outage, disconnect the Pix pair and connect the ASA pair.
It would be a short but unavoidable service interruption.
03-27-2019 08:56 PM
Thank you for reply.
Is it not possible to set the MAC of the PIX interface to ASA as a virtual Mac?
03-28-2019 02:26 AM
Yes technically you could specify the MAC address instead of using the burned in address.
You'd still have the issue of not having any information about state of connections and flows (and any NAT xlates) existing in the Pix on the new ASAs. So those would need to be all re-established.
Since you have to have an outage due to the second bit in any case, why incur unnecessary technical debt in fiddling with MAC address.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide