Anasa 310-fips cluster must be reconstructed onto – Nortel Networks NN46120-104 User Manual

158

Troubleshooting the NVG

AnASA 310-FIPS Cluster Must be Reconstructed
onto New Devices

If your cluster of ASA 310-FIPS devices has been damaged beyond repair
(by fire, for example) you can reconstruct the complete cluster, including
certificates, private keys, and wrap keys. However, this requires that you
have access to the following:

•

A new set of ASA 310-FIPS devices, replacing the cluster of damaged
devices.

•

A backup configuration file, saved to an FTP/TFTP/SCP/SFTP server
as a precautionary measure by using the

/cfg/ptcfg

command in

the former cluster. For more information about the

ptcfg

command,

see the "Configuration Menu " chapter in the Command Reference.

•

The black CODE-SO and CODE-USER iKeys that were used when
the now damaged cluster of ASA 310-FIPS devices was first created.
The black CODE iKeys are needed to transfer the wrap key used
in the former cluster onto the HSM cards in the new ASA 310-FIPS
devices, as well as for decrypting private key information in the backup
configuration file.

•

The secret passphrase that was defined in the former cluster when first
initialized (Provided your former cluster was running in FIPS mode).

To reconstruct the cluster configuration, certificates, private keys, and wrap
keys used in the former cluster onto a new set of ASA 310-FIPS devices,
follow these steps:

Step

Action

1

Install the first ASA 310-FIPS in a new cluster by following the
instructions on

“ Installing an ASA 310-FIPS” (page 58)

up to and

including

Step 5

.

Note: When asked to use FIPS or Extended Security Mode,
select the same mode that was used in the former cluster.

2

When both HSM cards have been initialized, you will be
asked if you want to use new or existing HSM-CODE iKeys.
Type

existing

and press ENTER.

Nortel VPN Gateway

User Guide

NN46120-104

02.01

Standard

14 April 2008

Copyright © 2007-2008 Nortel Networks

.