Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
894
Views
0
Helpful
4
Replies

Migration from 5515-X to 5516-X

Go to solution
mwood000111
Level 1
Level 1

‎01-18-2019 07:25 AM

CLN,

    A few questions that I have not been able to get TAC to give me a straight answer on, are do I need to move over existing AnyConnect SSL certs or do I have to generate new ones?  Share or rehost license?  Im in the middle of configuring new 5516-X so any assistance/insight/knowledge docs would be greatly appreciated.  Thanks. 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-18-2019 08:10 AM

The certificates depend on what type you are using.

 

If you have an externally generated CSR (e.g. you have a copy of the private key used in the request) and CA-issued certificate, then you can import the certificate and private key on to the new ASA.

 

If your AnyConnect licenses are 4.x type (Plus or Apex PAKs issued) then the PAKs can be used across multiple ASAs to create activation keys since the licenses are per unique user, not per device.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-18-2019 08:10 AM

The certificates depend on what type you are using.

 

If you have an externally generated CSR (e.g. you have a copy of the private key used in the request) and CA-issued certificate, then you can import the certificate and private key on to the new ASA.

 

If your AnyConnect licenses are 4.x type (Plus or Apex PAKs issued) then the PAKs can be used across multiple ASAs to create activation keys since the licenses are per unique user, not per device.

0 Helpful

Go to solution
mwood000111
Level 1
Level 1
In response to Marvin Rhoads

‎01-22-2019 05:12 AM

Thanks Marvin.  We do have an externally generated CSR and Ive been able to copy them over.

 

   Ill be deploying these 5516-Xs in HA.  Ive been able to get the primary configured and the config pushed over to secondary but am have not be able to get the anyconnect-win-4.x over to it.  My steps were to get in to ASDM, take full backup of 5515-X, and restore on 5516-X primary.  That worked to get everything over to that node.  Did the same for the secondary but the image mentioned above and XML profiles associated with AnyConnect didnt copy over.  Is there another way to get that on to the secondary?  Do I need to have those files in disk0: on the secondary?  Thanks. 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to mwood000111

‎01-22-2019 05:24 AM

You're welcome.

 

The AnyConnect images and xml profile file need to be copied onto the secondary unit manually. You do need them on disk there because the unit will require them if it is ever in the Active role.

 

HA synchronization won't sync the file systems - only the configuration.

0 Helpful

Go to solution
mwood000111
Level 1
Level 1
In response to Marvin Rhoads

‎01-22-2019 06:09 AM

Ok that makes sense.  Ill get to work on manually adding the images and XML files, thats not an issue.  Ill let you know if I run in to any further issues.  Appreciate the information.  

0 Helpful
Customers Also Viewed These Support Documents