04-05-2016 10:39 AM
TL;DR: will a config-sync all restore ceretificates and keys to an ADX 1000 that has been replaced with a new RMA unit?
We have a pair of ADX 1000's running L2 code version 12.5.01bT401 configured in Hot-Standby HA. Eight of our VIP's in that pair use SSL offloading with the certs on the ADX. Recently support diagnosed an issue we have on one of the units in that pair as a failing memory module. They sent us an RMA replacement unit.
My question is, what is a rough order of operation in the swap out? At a minimum, we need to edit the HA config to reflect the new units MAC address correct? So far we have upgraded the firmware on the replacement unit, added the licenses including SSL and restored the configuration from nightly backup. The restore errors out partially becuse the SSL certificates and keys are missing. Article number 000004269 states you need to re-import all certificates and keys. But wouldn't a config-sync all restore that if the unit is up and operating in HA mode again?
Any infomation will be greatily appreciated.
04-11-2016 04:54 PM
We got the unit swapped out with the RMA replacement. In the end, it was a fairly painless undertaking. Here was the order of operations that worked for us:
1. Upgrade the new unit with our production system image version
2. Install license files. In our case we needed two, one of which was for SSL offloading. NOTE: we needed to work with support to get the SSL license reissued using the RMA replacement units LID
3. Restore the system configuration from backup
4. Power down the failing HA member (in our case call it ADX01)
5. On the current sender (call it ADX02) change the config-sync partner MAC address to match the MAC of the config-sync port on the new replacement unit
6. Replace ADX01 with the new unit
7. Reconnect all interfaces, in particular the config-sync port (double check the MAC on the peer)
8. On current sender, ADX02, run "config-sync full" (answer yes to reload the peer, ADX01)
9. Verified that the new ADX01 has all SSL profiles, keys and certificates
Special note: The "config-sync full" command will clear out your SSH settings if you have SSH configured. You will need to re-enable SSH and gen the RSA keys.