Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
620
Views
0
Helpful
3
Replies

Cisco WSA Migration from Hardware to virtual

Go to solution
rameshkumarnakka
Level 1
Level 1

‎06-03-2024 12:33 AM

Hi,
We are using Cisco Secure Web Appliance (S690) as proxy servers(2 numbers) for Internet connection. Since the devices reaching EOS, we are planning to migrate it to VM.

Also at present the two appliances are in our DC and DR in standalone mode. After moving to VM, need to configure them in High availablility mode.

can anyone kindly help us out with specific recommendation and documents for above use case

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
amojarra
Cisco Employee
Cisco Employee

‎06-03-2024 03:37 AM

Hello @rameshkumarnakka 

Hope you are doing well

There are a couple of items that I would like to share with you: 

[1] For migration, there won't be any issue, you can import the configuration from S690 to your S600v, kindly be advised that Network Configuration, Joining the Domain(s), certificates, and licenses should be configured separately. 

[2] Regarding the Virtual WSA, I would say it is best to take a look at these links before starting the deployment:

Ensure Proper Virtual WSA HA Group Functionality in a VMware Environment - Cisco

https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa-va-install-guide/virtual-appliance-install-guide.html

 

[3] WSA, has high availability feature, which is Active/Passive. If you are looking for Active/Active (load balance) I would suggest:

Load balancing using WCCP or using a Network Load Balancer. 

on the other hand (if you are using Explicit Deployment) you can have the load balance via PAC file or client's proxy configuration, by pointing some users to WSA-A and having WSA-B and secondary Proxy server and vise versa. 

[4] you can find the steps, limitations and considerations in deploying High Availability in user-guide : User Guide for AsyncOS 15.0 for Cisco Secure Web Appliance - GD(General Deployment) - Connect, Install, and Configure [Cisco Secure Web Appliance] - Cisco

 

[5] In case if you are using Kerberos and planning to use Network Load balancer, kindly review "Creating an Active Directory Realm for Kerberos Authentication Scheme" section of the user-guide:

User Guide for AsyncOS 15.0 for Cisco Secure Web Appliance - GD(General Deployment) - Acquire End-User Credentials [Cisco Secure Web Appliance] - Cisco

 

Please feel free to let us know if there are any questions or concerns.

 

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++     If you find this answer helpful, please rate it as such    ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

 

 

 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
amojarra
Cisco Employee
Cisco Employee

‎06-03-2024 03:37 AM

Hello @rameshkumarnakka 

Hope you are doing well

There are a couple of items that I would like to share with you: 

[1] For migration, there won't be any issue, you can import the configuration from S690 to your S600v, kindly be advised that Network Configuration, Joining the Domain(s), certificates, and licenses should be configured separately. 

[2] Regarding the Virtual WSA, I would say it is best to take a look at these links before starting the deployment:

Ensure Proper Virtual WSA HA Group Functionality in a VMware Environment - Cisco

https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa-va-install-guide/virtual-appliance-install-guide.html

 

[3] WSA, has high availability feature, which is Active/Passive. If you are looking for Active/Active (load balance) I would suggest:

Load balancing using WCCP or using a Network Load Balancer. 

on the other hand (if you are using Explicit Deployment) you can have the load balance via PAC file or client's proxy configuration, by pointing some users to WSA-A and having WSA-B and secondary Proxy server and vise versa. 

[4] you can find the steps, limitations and considerations in deploying High Availability in user-guide : User Guide for AsyncOS 15.0 for Cisco Secure Web Appliance - GD(General Deployment) - Connect, Install, and Configure [Cisco Secure Web Appliance] - Cisco

 

[5] In case if you are using Kerberos and planning to use Network Load balancer, kindly review "Creating an Active Directory Realm for Kerberos Authentication Scheme" section of the user-guide:

User Guide for AsyncOS 15.0 for Cisco Secure Web Appliance - GD(General Deployment) - Acquire End-User Credentials [Cisco Secure Web Appliance] - Cisco

 

Please feel free to let us know if there are any questions or concerns.

 

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++     If you find this answer helpful, please rate it as such    ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

 

 

 

0 Helpful

Go to solution
rameshkumarnakka
Level 1
Level 1
In response to amojarra

‎08-08-2024 05:51 AM

Hey @amojarra , thank you for above text but when i was uploading the configuration file showing error like p2 interface error at 32 line.

I've cross verified and find that 690 is having p1,p2 interfaces but coming to virtual version i can't able to see the P2 interfaces.

0 Helpful

Go to solution
amojarra
Cisco Employee
Cisco Employee

‎08-08-2024 01:34 PM

Hello @rameshkumarnakka 

Thank you so much for the update, 

so for this issue:

[1] you can check the number of your NICs from VM level or from cli > etherconfig 

Please be advised, if you are not using all 5 interfaces, your VM should have them all 

 

[2] on the other hand, if you are getting an error related to P2 interface while importing the configuration, you can manually delete those tags from your configuration file ( if you are not going to use those interfaces )

as example if you would like to remove M2 interface please:

[2-1] Remove everything under <port_interface> tag 

for example all of these Tags and sub tags:

<port_interface>
      <port_name>M2</port_name>
      <direct>
        <jack>M2</jack>
      </direct>
 </port_interface>

this is the physical definition of M2 interface 

Note: that will be same for P2 or T1 .... if you dont have them, you can remove them

[2-2] and if there are any IP configured for that interface, and you dont need to import them to your virtual WSA, please remove everything inside <interface> tag related to that interface

for example remove all of these:

<interface>
      <interface_name>M2</interface_name>
      <ip>10.20.3.15</ip>
      <phys_interface>M2</phys_interface>
      <netmask>24</netmask>
      <interface_hostname>Amir-SWA</interface_hostname>
</interface>

This is layer 3 configuration of the M2 interface  

 

[2-3] you might get another Error for the interface as well, which most probably you will, so plese remove everything under tag related to that interface as well 

for example remove all of these:

 <ethernet>
      <ethernet_interface>M2</ethernet_interface>
      <media>autoselect</media>
      <media_opt></media_opt>
      <macaddr>40:40:40:40:40:40</macaddr>
    </ethernet>

this is the layer 2 configuration of M2 interface

 

 

on the other hand, please feel free to open a TAC case, we will be more than glad to assist you 

 

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++     If you find this answer helpful, please rate it as such    ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

0 Helpful
Customers Also Viewed These Support Documents