Moving a subinterface to a new firewall

lewis.hinton1 · ‎01-24-2018

Hello,

I am currently in the process of taking an existing firewall and moving all of the sub-interfaces over to a new ASA 5585. An SNMP server sits on the trusted side of the firewall, and it polls agents on the untrusted sub-interfaces of the firewall.

On the trusted side nothing is changing, the gateway stays the same regardless of whether it is going via the old or new firewall. The migration process involves me shutting down the sub-interface on the old firewall and then bringing up the interface on the new firewall using the same IP addresses and ACL rules. I have tweaked the syntax of the firewall slightly, but it is merely object-group names that are changing. In between I will have to alter the VLANs on the untrusted side to make another switch the root bridge, but I do not think this is causing any problems.

Once I bring up the new interface everything works as it should, the firewall can ping everything in the VLAN and so can the SNMP server. So I know it is getting from end to end. The issue lies with SNMP itself, if the process is not stopped on the server then it will lose the connectivity during the migration, but once the interface is restored it will continue to timeout, even though it can ping the agents.

Initially, the work around was to restart the server which restored SNMP. So I know it is not the rules on the firewall as the connection comes back when the server is restarted. Another workaround is to pause the polling for each individual agent before moving the interface. Once it is migrated and restarted it comes back again.

However this is not practical as the server monitors thousands of agents, so we cannot continuously restart the server or go through and stop each one.

Am I missing something completely, or is it solely a server issue? Colleagues have many theories, but I am thinking it is session related. I do not think it is possible, but can existing sessions be mirrored onto the new firewall?

If anyone has any ideas then it would be greatly appreciated, as I'm no firewall expert! :)

I still think this is an issue with the client software on the server, but you never know.

Thank you for your help.

Dennis Mink · ‎01-24-2018

its not clear to me if you already migrated and are running into an issue with your snmp servefr, or if you are just seeking advise on how to do this seamlessly?

so first of all you cannot bring up sTCP sessions from ond firewall over to another FW. these sessions are statefull and applied on teh firewal when traffic gets initiated. so no matter what you will see a dip.

Please remember to rate useful posts, by clicking on the stars below.

lewis.hinton1 · ‎01-24-2018

Hi Dennis,

Thank you for the quick reply, that confirms my suspicions as I was under the impression that as soon as the interface is shut down then any sessions associated with it will be dropped.

Apologies if it was not clear, the issue will occur on the SNMP server if you leave the server as it is, shut down the interface and move it over, and then bring it back up. In doing so the server will no longer poll the agents, they will just timeout and fail to re-establish the connection to the agents. However, it CAN ping so I know the network is good. If I go with this method, the only way to get the polling working again is to restart the server, which is obviously not ideal.

A workaround was to disable the polling on the server, migrate the interface over, and then re-enable the polling. In doing so it continues to work, however this will take large amounts of time to go through each one and enable it again.

If you can thing of anyway to do it seamlessly then great, but I honestly think this is a server issue.