Marius, This particular PC has 2 physical interfaces associated with it, G0/4 and G0/5. It was being used in the past but is no longer being used. The other 6 physical interfaces are already being used for other purposes. By removing the PC2, this will free up 2 physical interfaces, one of which (G0/4) will be used as the new outside interface.   Thanks for the feedback!  ... View more

Marius,   Thank you so much for your comments and help. I have decided to go with Method 1 in an attempt to keep the configs as consistent as possible. I have all the relevant CLI configs in a script ready to go as you suggested. here is a synopsis of my work plan:   1) shutdown interface on the switch going to the secondary ASA:          QTS-AGG-1B# int po5                                   shut   2) shutdown failover interface on secondary ASA:          qts-fwprod-1a# interface GigabitEthernet0/7                                                shut   3) change the configuration on standby ASA 3a) Remove the Po2 subinterface 2.1101:          qts-fwprod-1a# no interface Port-channel2.1101 3b) Remove the Po2 port channel interface: (This PC is not being used for anything, one of its member ports Gi0/4 will be used as the new outside interface)        qts-fwprod-1a# no interface Port-channel2   3c) Remove the Po1 subinterface 1.1001 (current outside interface)        qts-fwprod-1a# no interface Port-channel1.1001   3d) Configure Gigibitethernet0/4 as the new outside interface        interface GigabitEthernet0/4          nameif outside          security-level 0           ip address 64.x.x.6 255.255.255.128 standby 64.x.x.7   3e) Reconfigure NAT Rules that were deleted when old outside interface was deleted (separate file)   3f) Reconfigure Site to Site IPSec VPN that was deleted when old outside interface was deleted (separate file)   3g) Apply access list "outside_in" to new outside interface         qts-fwprod-1a# access-group outside_in in interface outside 3h) Reconfigure static default route that was deleted when old outside interface was deleted          qts-fwprod-1a# route outside 0.0.0.0 0.0.0.0 64.x.x.1   3i) Physically connect Gi0/4 of firewall to port G1/0/46 on Edge Switch B   4) shutdown port on the switch going to primary ASA   QTS-AGG-1A# int po4                           shut 5) no shutdown on interface on the switch going to the secondary ASA         QTS-AGG-1B# int po5                                   no shut Test changes If all is OK, take full backup of running configuration, pull the power on the primary ASA and no shutdown interface on switch going to primary ASA (Po4) as well as failover interface on standby (G0/7). Add power back to primary ASA and verify configuration is successfully copied to the primary (standby) ASA. failover back to primary ASA ... View more

Marius, Thanks so much for the reply. I appreciate the thoughtful response. For Method 2, is this done on the Primary/Active Firewall? This seems like a much cleaner approach that would only cause a minor traffic interruption when the IP address is moved to the new outside2 interface. Also, will the access list associated with the old outside interface (outside_in) be deleted from the running config when the old outside interface is deleted from the config? Or will it persist? Labbing it up on my spare ASA here it doesn't look like the ACL is removed after deleting the interface, but I just wanted to check what your experience was. I know the NAT rules and VPN configs will be deleted.    Thanks.  ... View more

Peter, I know im about 4 years late to the game on this post but, are there any negative design considerations when using VLAN SVI's as the L3 interfaces in OSPF vs using physical L3 interfaces? VLAN SVI's dont typically go down unless all of the physical links carrying that VLAN go down, how can this fact impact OSPF operation?   Thanks. ... View more

Thank you Reza/Leo,   Im assuming if I gamble and dont upgrade the ROMmon it could potentially cause some system instability if I try running the new code on the old ROMmon version? ... View more

Rahul,   Thanks! In my current situation I have an ID cert by GoDaddy in TP2 but the CA Cert (also by GoDaddy) is in TP0. This is not a problem? The ASA will package both up and send those to the client automatically?   Thanks. ... View more

Rahul,   I genuinely appreciate your responses. I apologize as we may have been responding simultaneously. I have one more question. The way I am understanding this is that the ID Cert and the CA cert should usually be in the same TP, this way the ASA can present the entire chain to the client. Otherwise, only the ID cert will be used, which may or may not be completely trusted by the client. Is that correct? ... View more

Thanks Rahul, you are saving my bacon here!! ... View more

Rahul,   Thank you for the response. So a "trustpoint" is a container that ties an ID Cert to a CA Cert, creating a "cert chain" the ASA can send to the Anyconnect client? Should the ID Cert and the CA Cert always be in the same TP?     Thanks. ... View more