Re: asa 8.2 to 8.3 config conversion from Jay McMickle on 2013-08-27 (Ccielab archives 08/2013)

From: Jay McMickle <jay.mcmickle_at_yahoo.com>
Date: Tue, 27 Aug 2013 19:00:11 -0500

My two cents-
We went through an upgrade failure last weekend and re-attempting this weekend.

We hit a bug in 8.4.5. The correct upgrade path is 8.2.5 to 8.4.6 to 9.1.2.

This pair was a 5585-20-SSP and we didn't have anything on the shelf to do an offline upgrade. Since the 5585's were the first SMP code, they go down to 8.2, but all other x series start at 8.6. So, a SMP to non-SMP was needed, but then the number if interfaces became an issue. We ended up braking the failover the morning of the upgrade since we only had a 15minute window, but hit the bug in 8.4.5 (nat's were converted but ACL's were not). We still have failover broken and we've upgraded it, waiting for our 15min outage window this weekend.

In the long run, skip 8.3 and 8.4.5. Use 8.4.6 as your interim stop for the NAT conversion and then to 9.1.

I hope that helps.

Regards,
Jay McMickle- 2x CCIE #35355 (R/S,Sec)
Sent from my iPhone 5

On Aug 27, 2013, at 11:47 AM, Tauseef Khan <tasneemjan_at_googlemail.com> wrote:

> Thanks Rayn, That's what I was looking for.
>
> Kind regards
>
> Tauseef
> mobile: +44 7837209187
>
>
> On 27 August 2013 17:24, JB Poplawski <jb.poplawski_at_gmail.com> wrote:
>
>> Throw the image and let it fly? LOL - Have TAC on the line and ready.
>> Get a 5505 a sim it up. Better to be safe than sorry.
>>
>>
>> On Tue, Aug 27, 2013 at 8:55 AM, Ryan West <rwest_at_zyedge.com> wrote:
>>
>>> Might want to try this one -
>>>
>>> http://www.tunnelsup.com/nat-converter
>>>
>>> that should get you into 8.3+, but if you're planning on running 9.x, you
>>> may want to run 8.4 first and then switch to 9.x and let any other
>>> conversions take place there.
>>>
>>> Also, if you do use the ASA to upgrade from 8.2 to 8.3 and you're running
>>> any remote access VPN's, be prepared for them to break. It's usually an
>>> out of order NAT and a quick fix.
>>>
>>> -ryan
>>>
>>> -----Original Message-----
>>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
>>> Sadiq Yakasai
>>> Sent: Tuesday, August 27, 2013 11:24 AM
>>> To: Tauseef Khan
>>> Cc: Cisco certification
>>> Subject: Re: asa 8.2 to 8.3 config conversion
>>>
>>> Sure np.
>>>
>>> One little observation though - the FWSM does not use 8.x software
>>> release train though .... 8.x is exclusive to ASA. FWSM latest train stops
>>> on 4.x.
>>>
>>> Back to your query though; you might want to try converting FWSM-> ASA pre
>>> 8.3 -> ASA 8.3+
>>>
>>> Would that work?
>>>
>>>
>>> On Tue, Aug 27, 2013 at 4:13 PM, Tauseef Khan <tasneemjan_at_googlemail.com
>>>> wrote:
>>>
>>>> thanks for the help but its a FWSM to ASA migration.
>>>>
>>>> Kind regards
>>>>
>>>> Tauseef
>>>> mobile: +44 7837209187
>>>>
>>>>
>>>> On 27 August 2013 15:54, Sadiq Yakasai <sadiqtanko_at_gmail.com> wrote:
>>>>
>>>>> You do not have to 'convert' the configuration. Just stick the new
>>>>> image on the firewall(s) and boot them up. The configuration should
>>>>> pretty much convert itself.
>>>>>
>>>>> PS: Note that NAT exemption is no more available in 8.3+ and is
>>>>> replaced by Identity NAT, so keep an eye out for that! I cant think
>>>>> of anything else you should worry about at the moment.
>>>>>
>>>>> Hope that helps abit.
>>>>>
>>>>> Sadiq
>>>>>
>>>>>
>>>>> On Tue, Aug 27, 2013 at 3:46 PM, Tauseef Khan <
>>> tasneemjan_at_googlemail.com>wrote:
>>>>>
>>>>>> Does any one know if there there a script available to convert ASA
>>>>>> 8.2 to post 8.3 configs Kind regards
>>>>>>
>>>>>> Tauseef
>>>>>> mobile: +44 7837209187
>>>>>>
>>>>>>
>>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>>
>>>>>> ____________________________________________________________________
>>>>>> ___ Subscription information may be found at:
>>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>>
>>>>>
>>>>> --
>>>>> CCIEx2 (R&S|Sec) #19963
>>>
>>>
>>> --
>>> CCIEx2 (R&S|Sec) #19963
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Tue Aug 27 2013 - 19:00:11 ART

This archive was generated by hypermail 2.2.0 : Sun Sep 01 2013 - 08:35:51 ART