Migrating from FWSM to ASA Service Module (ASASM)

I'm migrating from a failover pair of FWSM modules across to a failover pair of ASA Service Modules. In order to avoid a "big bang" switchover I intend to migrate subnets from one to the other over a protracted period.
With that in mind, can anyone confirm whether there is any restriction on having FWSM and ASASM modules in the same chassis? A trawl of the relevant documentation hasn't revealed anything.
In this specific case it is Catalyst 6509E VSS chassis pairs with Sup-2T.
Thanks in advance.

So long as the chassis has enough power to power these modules you are good.
Upto 4 FWSMs can be installed in a chassis.
Upto 4 ASA-SM modules can be installed in a chassis.
FWSM:
http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps4452/product_data_sheet0900aecd803e69c3.html
• Up to 4 FWSMs (20 Gbps) per Catalyst 6500 chassis
ASA-SM
http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps11621/qa_c67-662207.html
Q. How many ASA Services Modules can I place in a Cisco Catalyst 6500 Series chassis?
A. Up to four independent ASA Services Modules can simultaneously run in a Cisco Catalyst 6500-E Series chassis.
-Kureli
Checkout my breakout session at Cisco Live 2013, Orlando, Florida.
BRKSEC-2024 Deploying Next-Generation Firewall Services on the ASA 
Room 314A Tuesday, June 25 3:00 PM - 4:30 PM

Similar Messages

  • Context Migration from FWSM to ASA

    Hi there ,
         What would be best way to migrate a Context from FWSM to ASA (non SM)  with minimal down time & effort .
    I am thinking of these steps :
    1) Preconfigure  the new ASA with the same IP-Address as FWSM for the interfaces (keep the ASA subinterfaces in shut state ) , configure Access rules .
         ( Want to retain same ip for the interfaces , since there are many hosts behind the FWSM with this gateway IP configured )
    2) Shut the context specific interfaces on FWSM & bring up the Context specific interfaces on the ASA.
       ( Also a query - If I introduce ASA into the Network with the same IP as of FWSM , though the interfaces would be in shut state , should i expect any IP Conflicts )
    Thanks

    Hi,
    Well you probably have the option to configure the old FWSMs interface MAC address to the ASAs corresponding interface manually, this way there will be no change in the ARP from the perspective of the server/host.
    I guess depending on if you have a single firewall or failover firewall the command is a bit different as you define either 1 or 2 MAC addresses.
    I think this was the command to modify the MAC address
    http://www.cisco.com/en/US/docs/security/asa/command-reference/m1.html#wp2111205
    - Jouni

  • ASA Service module shut down and on automatically

    hello,
    i have a asa service module which is inserted on 6509 chassis.
    This morning when i came to the office i have noticed my asa service module was restarted at last night but 6509 was up.
    one more thing we dont have failover.only have single asa service module.
    ASA SM version is 8.5
    below is the failover history and details
    ciscoasa up 17 hours 11 mins
    ------------------ show crashinfo ------------------
    No crash file found.
    ------------------ show failover history ------------------
    ==========================================================================
    <--- More --->
    From State                 To State                   Reason
    ==========================================================================
    14:28:40 UTC Apr 7 2013
    Not Detected               Disabled                   No Error
    can any one tell me why this happend.
    thanks in advanced
    Khem

    Hi,
    Would seem to me that it would be best to check this through Cisco TAC to determine the cause.
    It would seem though that no Crashinfo file was generated so thats kinda strange.
    You should be able to confirm if the ASASM is set to save a crashinfo file with the command "show crashinfo save"
    - Jouni

  • ASA Service Module on 6500 montoring console session

    We have 6500 with ASA Service Module
    On 6500 how can we configure so that if someone logs in to the ASA Service Module and reboots the firewall we can have logs of it in syslog of switch .
    Thanks for help

    I hate to answer my own posts, but here it is.  TAC tells us that there are 2 choices to make this work.  Apparently the way that worked on an ISR and ISRG2 does not work on the 4000 series routers.  I guess that's progress.
    Option 1. Use a physical cable to connect one of the router's interfaces to one of the etherswitches interfaces and treat it just like the etherswitch is a seperate physical switch.  I'm sure there is a use case for that but I'll not cover that here.
    Option 2. Use the "service instance" feature on the router's internal interface to bind it to a new "BDI" virtual interface on the router.  This is what we'll do.
    On our router ethernet-internal 1/0/0 maps to Gi0/18 on the etherswitch, all internal to the box.  The router will be10.0.0.1 and the switch will be 10.0.0.2.
    Router:
    interface Ethernet-Internal 1/0/0
    service instance 1 ethernet
    encapsulation dot1q 50
    rewrite ingress tag pop 1
    interface BDI 1
    mtu 9216
    ip address 10.0.0.1 255.255.255.0
    Switch:
    interface Gi0/18
    switchport trunk vlan allowed 50
    switchport mode trunk
    vlan 50
    name Egress vlan
    interface vlan 50
    ip address 10.0.0.2 255.255.255.0
    ip route 0.0.0.0 0.0.0.0 10.0.0.1
    Then there are a million ways to design and configure the switch as a normal 3560X switch but that's beyond the scope of my question.

  • Does ASA Service Module on 6509-E support Remote Access VPN ?

    I'm having a problem configuring Remote Access VPN (SSL, Anyconnect ect.) on ASA Service Module on 6509-E. Is this even supported  or am i wasting my time trying to make something work which will not work in a first place :) ? Site-to-Site works without any problems.
    Tech Info:
    6509-E running SUP 2T 15.1(2)SY
    ASA Module - WS-SVC-ASA-SM1 running image - asa912-smp-k8 & asdm-712
    Licenses on ASA:
    Encryption-DES - Enabled
    Encryption-3DES-AES  -Enabled
    Thanks in Advance for support.

    Are you running multiple context mode?
    If you are, remote access VPN is not supported in that case:
    "Note Multiple context mode only applies to IKEv2 and IKEv1 site to site and does not apply to AnyConnect, clientless SSL VPN, the legacy Cisco VPN client, the Apple native VPN client, the Microsoft native VPN client, or cTCP for IKEv1 IPsec."
    Reference.

  • Migration from SQL Server Reporting Services to Oracle Reports 10g

    Hi,
    I have few reports which have been created using the Microsoft Sql Server Reporting Services.Now i want to create similar reports using Oracle Reports 10g.
    Will i need to start from scratch the creation or is there migration tool that would reduce the efforts for the same.
    Thanks in advance.

    Note there's a lot of useful info on sqldev's homepage (Learn More tab): migration docs and examples.
    Regards,
    K.

  • ASA Service Module with Packeer

    I have a customer about to install an ASASM in a 6800 switch. Their previous setup was an ASA 5520 connected to 4500 core switch with a Blue Coat Packet Shaper sitting between the inside interface of the ASA 5520 and 4500.
    With the ASASM backplane connected to 6800, it seems impossible to direct the inside traffic to a physical port on the switch, then through the packet shaper, and then back into switch.
    I do know that the packet shaper can monitor the traffic from the inside interface using port mirroring, but the customer would loose the ability to actually shape Internet traffic.
    I have a TAC case open, and they currently trying to figure out if this is possible. I am asking here to see if anyone has already attempted a scenario like this.
    Thanks.

    Hi Nick,
    Take a Look here.
    http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/15.1SY/config_guide/sup2T/virtual_switching_systems.html#wp1053927
    Gereinigt
    Michael
    Sent from Cisco Technical Support iPad App

  • Upgrade from FWSM to ASA 5555Xs

    Hello,
    We would like to decommision our FWSMs and upgrade to the ASA 5555Xs. This leads me to ask the following: What would be the most efficient way of doing this without any interruption to production? Has anyone successfully acomplished this? If you have please share your experiences and caveats involved in this project.
    Thanks!

    There will be some downtime.
    1. You can configure the 5555s ahead of time off line as a failover pair with the same config as in the FWSM pair.
    2. On the day of cut over. Power down the FWSMs and plug the ASAs into the network.
    3. If the config is the same and same IP address is used on the ASAs then, clear the ARP cache on all adjacent L3 devices.
    4. Test connectivity.
    There will be slight downtime which cannot be avoided. This cannot be hitless when are you are switching platforms.
    -Kureli
    Checkout my breakout session at Cisco Live 2013, Orlando, Florida.
    BRKSEC-2024 Deploying Next-Generation Firewall Services on the ASA 
    Room 314A Tuesday, June 25 3:00 PM - 4:30 PM

  • Is the ASA Service Module consider a Next Generation Firewall?

    Thank you!

    The term does not have a standard meaning. However, as Cisco uses it, it refers to a platform capable of running their NGFW services (AVC, WSE and IPS running on a CX module).
    In that usage the answer is no. The ASA SM is not capable of running the CX module and associated software. Reference 1. Reference 2. 

  • Firewall service module vs ASA

    Hi
    Someone told me that the cisco firewall service module of 6500 has poor performances compared to ASA
    What do you recommend as a core firewall (to protect internal servers): ASA or firewall service module ?
    thanks

    Hi,
    We are using 5 FWSMs at the moment but are moving away from them to ASA5585-X models.
    I wouldnt suggest going to FWSMs anymore at this point if you have any plan on having support for new features.
    End Of Life and End of Sale Notice
    http://www.cisco.com/en/US/prod/collateral/modules/ps2706/eol_c51-699134.html
    The follower for the FWSM is the ASA Service Module which supports the newer softwares (while the FWSM doesnt). Heres a link to a document about the ASASM
    http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps11621/data_sheet_c78-672507.html
    Also you could always consider a separate ASA models. Here are links to both the orignal ASA 5500 series and new ASA 5500-X series
    ASA 5500 Series
    http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80285492.pdf
    ASA 5500-X Series
    http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/at_a_glance_c45-701635.pdf
    I guess the question for you is what are the requirements for the device regarding performance. All of the above documentation should give you a clue about which model might be the best for you.
    - Jouni

  • Config migration from ASA5540 to an ASA5545-X?

    Just a quick question that I want to confirm.
    Customer has a ASA5540 at their main location and need a new ASA5500 for a DR site.
    Can I simply take a config file from an ASA5540 and easily drop it on an ASA5545-X or what ever?
    They are going to be using it as a VPN concentrator primarily.
    Or are there going to be issues since the 5540 is running 8.4(5) and the 5545-X?
    Or if they upgrade to 9,0(1) or higher, then they should be the same?
    Thanks.

    Richard,
    Felipe is correct regarding the syntax compatibility. 5500-X models will most likely be shipped with 8.6. (A couple I unboxed in the last two months had that.) 8.6 releases were specific to -X series (8.5 for ASA services module and 8.4 for classic 5500 series).
    Personally I like standardization and would just put them all on 9.0(1) software - even though it's not a requirement for interoperability and configuration compatibility. 9.1 adds no features or bug fixes to the base system - only adds support for CX (with the required SSD also having to be added) - so I've not been loading that.
    Remember that if you are exporting VPN configurations that the pre-shared keys (if you're using PSKs on your VPNs) are not included by default. You need to backup using "more system:running-config" (after a "term pager 0") or similar such approach.

  • Migration from WLI2.0 to WLI2.1 - problems and solutions

    We have experienced a number of issues when migrating from WLI2.0 (no service packs)
    to WLI2.1 - We are only using the WLPI (BPM) part of WLI. We decided to publish
    these issues in case they can be of help to others.
    Problems:
    1. The documentation (http://edocs.bea.com/wlintegration/v2_1/migrate/4zubemig.htm#998197)
    says the migration process works from WLPI 1.2.1 and from WLI 2.0 (SP2, 3, 4).
    What about WLI2.0 with no service packs - I don't see why BEA should have left
    out migration from that platform. We decided to follow the process and see what
    happened.
    2. There is no indication in the documentation of how to run the GUI based migration
    tools on Unix, only for Windows so we had to follow the manual route.
    3. The Manual process refers (http://edocs.bea.com/wlintegration/v2_1/migrate/4zubemig.htm#999969)
    to the DB variable setting scripts. It then says to run "migratedb.sh". None of
    these files have extensions ".sh" - the files that were installed have no extension.
    Obviously that did not stop us running them but the documentation needs correcting.
    4. The migratedb scripts calls "WLI_HOME/setenv.sh" - it is confusing that there
    is a second copy of this file in the bin folder called "setenv". Why are there
    2 copies. Also I note that the one in bin is executable and the other is not.
    All very confusing!!
    5. The migratedb script fails to run because we have not previously run setDomain.
    This is not documented.
    6. Running setDomain on a domain moved from a WLI2.0 installaion fails since it
    does not contain the expected folders. That basically means you cannot migrate
    such a domain. We carried on with the process using the bpmdomain so that we could
    at least migrate our database automatically.
    7. Having run setDomain, we tried migratedb again but it failed because we had
    not run switchdb. Again, this is not documented. We ran switchdb successfully.
    8. Now running migratedb creates a file called "migrate.sh". Unfortunately the
    script migratedb then attempts to run a file called "migrate". This is evidence
    that no-one has ever tested this script at BEA and we are very disconcerted by
    this fact!! We renamed the script and ran migratedb again - this time it ran the
    migrate script.
    9. This still fails with the following errors (when calling migrateCommonRep)
         -v (No such file or directory)
         null
         java.lang.NullPointerException
         at java.lang.Class.forName0(Native Method)
         at java.lang.Class.forName(Class.java:120)
         at com.bea.eci.migration.Migrate.getConnection(Migrate.java:207)
         at com.bea.eci.migration.Migrate.main(Migrate.java:73)
         java.lang.NullPointerException
         at com.bea.eci.migration.Migrate.main(Migrate.java:192)
    10. It also fails because it cannot find "sqlplus" - a fatal problem - we do not
    have sqlplus installed on the same machine as WLI and yet again this requirement
    is not documented. At this point we gave up trying to run the migrate script as
    there seemed to be no route forward.
    The process we took to move from WLI2.0 (WLPI only) was as follows:
    a. Since we had done no changes to filerealm.properties we simply copied the one
    fron bpmdomain into our own domain.
    b. We have been unable to run the step to migrate the common repository (see note
    9). If this is referring to the XML repository then that should not be a problem
    to us as we have not used it.
    c. We moved the "migrate/BPM_20SP3-21.sql" script to an NT machine and ran that
    script on our database. This seems to have successfully updated the database.
    Lastly, having completed the migration process we tried to run the server but
    it fails. This is because the startWeblogic script fails to call checkdomain properly.
    We modified the line to become:
         ". $WLI_HOME/bin/checkdomain"     # the '.' was missing
    Does anyone else have any experiences with this that would help us all?
    Pete

    Pete,
    Please post this to the weblogic.integration.interest and weblogic.integration.developer newsgroups?
    Pete Edwards wrote:
    We have experienced a number of issues when migrating from WLI2.0 (no service packs)
    to WLI2.1 - We are only using the WLPI (BPM) part of WLI. We decided to publish
    these issues in case they can be of help to others.
    Problems:
    1. The documentation (http://edocs.bea.com/wlintegration/v2_1/migrate/4zubemig.htm#998197)
    says the migration process works from WLPI 1.2.1 and from WLI 2.0 (SP2, 3, 4).
    What about WLI2.0 with no service packs - I don't see why BEA should have left
    out migration from that platform. We decided to follow the process and see what
    happened.
    2. There is no indication in the documentation of how to run the GUI based migration
    tools on Unix, only for Windows so we had to follow the manual route.
    3. The Manual process refers (http://edocs.bea.com/wlintegration/v2_1/migrate/4zubemig.htm#999969)
    to the DB variable setting scripts. It then says to run "migratedb.sh". None of
    these files have extensions ".sh" - the files that were installed have no extension.
    Obviously that did not stop us running them but the documentation needs correcting.
    4. The migratedb scripts calls "WLI_HOME/setenv.sh" - it is confusing that there
    is a second copy of this file in the bin folder called "setenv". Why are there
    2 copies. Also I note that the one in bin is executable and the other is not.
    All very confusing!!
    5. The migratedb script fails to run because we have not previously run setDomain.
    This is not documented.
    6. Running setDomain on a domain moved from a WLI2.0 installaion fails since it
    does not contain the expected folders. That basically means you cannot migrate
    such a domain. We carried on with the process using the bpmdomain so that we could
    at least migrate our database automatically.
    7. Having run setDomain, we tried migratedb again but it failed because we had
    not run switchdb. Again, this is not documented. We ran switchdb successfully.
    8. Now running migratedb creates a file called "migrate.sh". Unfortunately the
    script migratedb then attempts to run a file called "migrate". This is evidence
    that no-one has ever tested this script at BEA and we are very disconcerted by
    this fact!! We renamed the script and ran migratedb again - this time it ran the
    migrate script.
    9. This still fails with the following errors (when calling migrateCommonRep)
    -v (No such file or directory)
    null
    java.lang.NullPointerException
    at java.lang.Class.forName0(Native Method)
    at java.lang.Class.forName(Class.java:120)
    at com.bea.eci.migration.Migrate.getConnection(Migrate.java:207)
    at com.bea.eci.migration.Migrate.main(Migrate.java:73)
    java.lang.NullPointerException
    at com.bea.eci.migration.Migrate.main(Migrate.java:192)
    10. It also fails because it cannot find "sqlplus" - a fatal problem - we do not
    have sqlplus installed on the same machine as WLI and yet again this requirement
    is not documented. At this point we gave up trying to run the migrate script as
    there seemed to be no route forward.
    The process we took to move from WLI2.0 (WLPI only) was as follows:
    a. Since we had done no changes to filerealm.properties we simply copied the one
    fron bpmdomain into our own domain.
    b. We have been unable to run the step to migrate the common repository (see note
    9). If this is referring to the XML repository then that should not be a problem
    to us as we have not used it.
    c. We moved the "migrate/BPM_20SP3-21.sql" script to an NT machine and ran that
    script on our database. This seems to have successfully updated the database.
    Lastly, having completed the migration process we tried to run the server but
    it fails. This is because the startWeblogic script fails to call checkdomain properly.
    We modified the line to become:
    ". $WLI_HOME/bin/checkdomain" # the '.' was missing
    Does anyone else have any experiences with this that would help us all?
    Pete--
    Developer Relations Engineer
    BEA Support

  • Migration cisco concentrator to ASA

    Hi,
    we want to migrate from concentrator to ASA.
    I know that there was a cisco internal tool to adapt the concentrator configuration.
    Is this tool still internal or could it be downloaded somewhere?
    Thanks for your help.

    Hi Martin,
    What version of Concentrator are you currently using?  If you are using a VPNC 3000 series, you can view the recommended upgrade path to an ASA via the following link  (see "Product Migration Options" at the bottom of the document)
    http://www.cisco.com/en/US/partner/prod/collateral/vpndevc/ps5743/ps5749/ps2284/prod_end-of-life_notice0900aecd805cd5a0.html
    Mike

  • How do I set up a proxy server for webmail services to assist in migrating from NMS 4.15p6 on NT to iMS 5.1 on HP-UX.

    I want to have minimal if no downtime at all when moving the message store. iPlanet support hinted at an "unsupported" proxy server solution, and would give no further information. I am running the MMP with 5.1 and that supports IMAP and POP migration, but I need support for webmail services as well to complete the migration from NT to UNIX with minimal distruption of thousands of users. I am using the MoveUser utility to move the message store in hopes that will clear up some store corruption we have been seeing.

    To get this in a 'supported' fashion you might want to wait until the iMS 5.2 release. iPlanet has said this release would include a webmail proxy/mmp server to do exactly what you desire.
    A proxy server would not be a solution to your problem as it would have to have access and knowledge to the users mailhost attribute to determine to which host to route the webmail connection. The webmail proxy/mmp will have this functionality.
    You might want to contact your iPlanet rep about this product and maybe you could get a copy of it as part of a beta program. I know iPlanet is always looking for oppourtunities for feedback like this.
    -Chris

  • Question on how does load balancing work on Firewall Services Module (FWSM)

    Hi everyone,
    I have a question about the algorithm of load balancing on Firewall Services Module (FWSM).
    I understand that the FWSM supports up to three equal cost routes on the same interface for load balancing.
    Please see a lower simple figure.
    outside inside
    --- L3 SW --+
    |
    MHSRP +--- FWSM ----
    |
    --- L3 SW --+
    I am going to configure the following default routes on FWSM point to each MHSRP VIP (192.168.13.29 and 192.168.13.30) for load balancing.
    route outside_1 0.0.0.0 0.0.0.0 192.168.13.29 1
    route outside_1 0.0.0.0 0.0.0.0 192.168.13.30 1      
    However I don't know how load balancing work on FWSM.
    On FWSM, load balancing work based on
    Per-Destination ?
    Per-Source ?
    Per-Packet ?
    or
    Other criteria ?
    Your information would be greatly appreciated.
    Best Regards,

    Configuring "tunnel default gateway' on the concentrator allowed traffic to flow as desired through the FWSM.
    FWSM is not capable of performing policy based routing, the additional static routes for the VPN load balancing caused half of the packets to be lost. As a result, it appears that the VPN concentrators will not be able to load balance.

Maybe you are looking for

  • Data type of the base attribute or the base value does not match...

    ...the assigned expression. Hello all, I always get the Error +<ERROR+ TEXT="'DWH.CUB_REGISTRATIONS_AW.REGISTRATIONS': XOQ-02517: Der Datentyp des Basisattributs oder der Basisgröße stimmt nicht mit dem zugeordneten Ausdruck überein. XOQ-01400: Ungül

  • Itunes only showing my first Podcast episode

    I added my podcast feed and after approval only one episode showed up. I have now done two more episodes over the last two weeks and they don't appear in Itunes. Anyone know why? Thanks in advance!

  • List of Auto PO's

    HI, Can I get the list of only auto PO's generated from the list of all purchase orders. How is it possible? Thanks & Regards, Kiran

  • Make-to-order production

    hi, I wonder how to put in the sub items/lower-level item under a higher-level item. I cant find the sub item icon in the Item Overview screen. Thanks. Regards

  • Email default folder

    When I click on Messages, the default folder is Sent Mail. How do I change the default folder to my Inbox? Thank you.