I have a 5525-x firewall running ASA firmware 9.4.2(6) on which I'd like to renumber a trunked subinterface to a different IPv4 subnet. This would be most conveniently done if I could have both the old and new subnets active simultaneously on the same vlan while we migrate all of the downstream client hosts. In theory, according to the documentation, this might be possible. However, I haven't found a way to make this work. Has anyone ever succeeded with this? It fails for me identically in 9.4 and 9.6 firmwares. Should I open a TAC, or is it hopeless?
Suppose the interface were:
ip address 192.0.2.1 255.255.255.0
Further suppose the end goal was "ip address 198.51.100.1 255.255.255.0", and the MAC address of the interface was 0000.1111.2222.
According to the command reference for "arp" and "route" an intermediate state with both the new address 198.51.100.1 and the old address 220.127.116.11 active at once might be obtainable by:
arp xxx 198.51.100.1 0000.1111.2222 alias
route xxx 198.51.100.0 255.255.255.0 192.0.2.1
However, that route statement produces
ERROR: invalid next hop address 192.0.2.1, it matches our IP address
Alternatively "route xxx 198.51.100.0 255.255.255.0 198.51.100.1" doesn't produce an error, but the new subnet doesn't work, either.
As it happens, I do have an extra physical interface, and can make this ploy work; I've tried it successfully in my test lab. You can't, apparently, have two subinterfaces with the same vlan tag, so you do need an entire spare interface.