Re: How to push same configuration to RMA'ed Unit

mumbles202 · ‎05-17-2021

In the process of RMAing a 5508 that was running FTD code and wondering what the best way to replace it would be. The device was previously managed over a vpn tunnel and the management interface was used (used registration code and nat-id which I have documented). I know the policies can be re-deployed once the device is in the FMC, but since the site has only a /30 putting the management interface on the WAN to get that connectivity isn't an option. I was planning on doing the following:

1) Configuring the replacing device w/ a public ip and setup connectivity using the same registration code and nat-id if they'll work

2.) Go into the current device in the FMC, change the management ip address

3.) Confirm the device is registered, re-deploy the configuration/policies

4.) Once deployed, go back into the FMC and change the management ip back to what it currently is

5.) Go into the console of the device and change the management interface ip address back to the correct ip.

Will this work or will I need to delete the device from the FMC and re-add it and then setup the vpn and anything that might get lost during the removal of the device? The FMC and FTD were both running 6.2.3.10.

mumbles202 · ‎05-19-2021

I was able to add the device to the FMC by a public ip on a different segment, manually configure the interfaces and the static routing and then re-assign the same policies to RMA unit and push out the configuration. I then went into the console and changed the management address to what should be the correct address across the vpn and updated the correct management address in the FMC. Waiting on the device deployment today.

dtfletch83 · ‎01-12-2022

Hi mumbles,

Potentially have an RMA situation on my hands.
In addition to what you did above, did you also have to downgrade the FTD software on the replacement device?

Marius Gunnerud · ‎01-12-2022

If you are running FTD version 6.7 or higher you can follow the procedure that mumbles has described. Prior to 6.7 you are not able to update the FMC IP on the FTD without unregistering it.

--
Please remember to select a correct answer and rate helpful posts

andry1234 · ‎05-21-2022

so if we add new device to fmc,

we cannot have all config back like,

- Interface config

- routing

- zone interface

- nat

- vpn

can we simple have it back by doing option *Push Configuration*

im running ftd version 6.2 and FMC 6.4

thank you

Marius Gunnerud · ‎05-21-2022

@andry1234 This really depends on what you mean by add a new device. You can take device specific backups and restore them to the failed / RMA'ed device. The device backup backups up everything on the device including the management IP, gateway and FMC registration key.

If you require further assistance please create a new post so the topic will be easier to find for others having the same issue.

--
Please remember to select a correct answer and rate helpful posts

andry1234 · ‎05-22-2022

thi my actual config broken device from fmc, if i did push config option to new register device on fmc, will all my old config move to new device instantly?

Marius Gunnerud · ‎05-25-2022

To replace a device with an RMA device, you can follow this guide:

https://www.cisco.com/c/en/us/td/docs/security/firepower/640/configuration/guide/fpmc-config-guide-v64/backup_and_restore.html#Cisco_Task.dita_a44c742a-9670-4b54-b792-6ba3a3133133

--
Please remember to select a correct answer and rate helpful posts