2960-X and 3650/3850 are solid workhorses, but nowadays they are the legacy product-line and I would go for 9200. Be aware of the needed DNA-licenses that you have to buy also if you don't use DNA. Another option could be to use Meraki MS210/MS225 cloud manages switches. Not that many features as the Catalyst series, but very easy to manage and probably enough features for 90% of the typical customers. ... View more

First, don't call it a cluster. Cluster is a different implementation nowadays. You are implementing a Failover-system.   For your setup, I would add two external switches. One switch connects ISP1 on VLAN 101, the other switch connects ISP2 on VLAN 102. The ASAs are configured with redundant interfaces to both switches and use subinterfaces (with VLANs 101 and 102) for both ISPs. Now the ASA sees two ways to the internet and you can control which traffic to send to which ISP. ... View more

Both failover- and cluster setups are not available with different devices. And I would not try to solve this problem on the user-side. That just does not scale.   The best solution would be to have two identical devices and use HA or clustering. That would be the "native" way of achieving redundancy. If you can not go for a second identical device, perhaps you can monitor the existence of the primary device and in case of failure just change the interface-addresses of the new device to the gateway of the users. That could also be scripted/automated. ... View more

At least that is what I did for a couple of customers. But it always depends on what you want to achieve. Traditionally I had IOS-routers in the branches because of the routing- and VPN flexibility. And of course for direct internet access, we need a firewall. Personally, I don't like the zone-based firewall on IOS. For offices that only need hub-and-spoke traffic we then used ASAs and even got more throughput for the same amount of money. For a different client, where more powerful SD-WAN features are needed we are migrating to a Meraki MX solution and the routers will get removed in the future.   So, yes, you often can replace routers with firewall and in many scenarios it's a good decision. But routers still have their place in the network for example when you want to build partial mesh VPNs with DMVPN or FlexVPN. ... View more

It is very responsible that you want to erase the config before dumping the unit into the trash can. If you don't find the file, you could also physically destroy the unit before dumping it. ... View more

These "why" questions are hard to answer ... Probably because not enough big customers asked for that feature and it is just not implemented. It's a little bit like renaming objects. Initially it was not implemented, but later the feature was available.   For now, as you already found out, you have to duplicate the tunnel-group with the new name (ip) and and adjust all corresponding configuration. ... View more

I have no working example and it would also be highly dependent on the rest of your network. Two ways to achieve that come to my mind: monitor the reachability with "ip sla", act on the result with an EEM-script that changes your  ospf-configuration (not sure if that also works with OSPF) monitor the reachability with "ip sla", use that in a route-map to redistribute or not redistribute the connected or static route. If that all sounds too weird, stick with static routing as it's much less complex. ... View more

Using static routing is much easier and probably much safer as you control by configuration when to start your disaster scenario. If you want to automate that, you could announce the network from the secondary site with high cost and do a conditional announcement on the primary site while the server is reachable. And also ask your application team if that is really a good idea to automate that. ... View more

Unless you have configured PAN failover which is not on by default. But with 1 Core, I assume that you run an ancient ISE-version that does not have that option. ... View more

It all depends on the persona: For monitoring the active role will switch automatically For PSN, there is no primary/secondary as the load is shared by the NADs For Admin, by default there is no change of the role. While the primary admin node is down, it is just not available. That is no problem for most of the functionality when it comes back shortly later. But are you sure that even two cores are enough? Depending on the ISE version that is far less than needed for normal operation. And while being offline also adjust the RAM if needed.   ... View more

And if you want to use TLS instead of IPsec, then there is nothing like NAT-T needed. ... View more

In the licensing portal, you can select you classic license, activate the cortext-menu and convert to smart-license there. I only did that for AnyConnect licenses, but that worked fine. ... View more