: Replace an SD-WAN Device
Focus
Focus

Replace an SD-WAN Device

Table of Contents

Replace an SD-WAN Device

Let us learn how to replace an SD-WAN device in an RMA process.
The return merchandise authentication (RMA) process enables you to replace either failed or malfunctioning SD-WAN devices with new or reused functional SD-WAN devices at a branch or a data center site. An SD-WAN device can fail or malfunction for a number of reasons, such as a device chip failure, device misconfiguration, or from daily wear and tear. If the SD-WAN device is unusable due to a malfunction or overall failure, use the RMA process to replace the failed or malfunctioning device.
A commit failure occurs on Panorama™ and managed devices if you try to replace an SD-WAN firewall from an existing deployment without following a proper RMA process.
Before you begin the RMA process:
  • The SD-WAN generates configurations, such as IPSec gateways and keyIDs, based on the device serial number. Hence, you must update the serial number of the replacement firewall for SD-WAN to recognize the new firewall and to avoid commit failures. Find whether your SD-WAN configuration has IPSec or VPN object references to the old firewall:
    • To replace a branch firewall in a high availability (HA) deployment, login to the hub firewall and select
      Network
      Network Profiles
      IKE Gateways
      . Search for the serial number (without white spaces) of the old firewall. If you get one or more search results, it indicates that the SD-WAN is referencing the old firewall serial number in the gateway configuration. In this case, we recommend you to disconnect the old branch firewall from Panorama and HA deployment.
    • To replace a firewall in a full mesh deployment without hubs, search for the old firewall serial numbers on any of the branch firewalls. If you get one or more search results, it indicates that the SD-WAN is referencing the old firewall serial number in the gateway configuration. In this case, we recommend you to disconnect the old branch firewall from Panorama and mesh deployment.
    • To replace a standalone firewall, it is not necessary to search for the serial number.
Use the following workflow to restore the configuration on a managed firewall when there is an RMA.
  1. Select
    Panorama
    SD-WAN
    Devices
    and delete the old firewall.
  2. Select
    Panorama
    SD-WAN
    VPN Clusters
    and delete the old firewall.
  3. Commit the changes to Panorama.
  4. (
    HA deployments only
    ) Push the changes to all hubs and the other HA peers (except the old firewall that needs to be replaced). Before proceeding, ensure that the commit succeeds on both hubs and standalone firewalls. If the search for the old firewall serial number does not return any gateway configurations, you can skip this step.
  5. (
    HA deployments only
    ) Establish a HA connection between the replacement firewall and the standalone firewall. A firewall with a lower numerical value, and therefore a higher priority, is designated as active. To avoid your replacement firewall taking over as an active HA peer, ensure that it isn’t assigned with a higher device priority.
  6. Select
    Panorama
    SD-WAN
    Devices
    and add the new branch firewall.
  7. Select
    Panorama
    SD-WAN
    VPN Clusters
    and add the new branch firewall.
  8. Commit the changes to Panorama.
  9. Select
    Commit
    Push to Devices
    and push the entire Panorama managed configuration to the hubs and both HA peers at the branch.
    When you
    Push to Devices
    , Panorama attempts to push the changes to all the devices in the cluster for both HA and hub-and-spoke deployments. To avoid pushing the changes to all devices, select
    Edit Selections
    in the Push Scope and disable all other devices in
    Device Groups
    devices and
    Templates
    .
    • In hub-and-spoke deployments, select the hub firewalls and HA template stack of the branch system to which you intend to push the configuration. As a result, sites that aren’t selected could become out of sync.
    • In full mesh deployments, it’s mandatory to push the changes to all devices in the cluster.

Recommended For You