topic Re: FTD 4100 to 4200 migration in FMC in Network Security

FTD 4100 to 4200 migration in FMC

ben.levin1 — Tue, 03 Jun 2025 14:46:00 GMT

Hi all. I'm trying to migrate an FMC-managed FTD 4125 HA pair to a pair of FTD 4215s. FMC and all of the FTDs are running 7.4.2.1.

Is there any way to migrate the FTD interfaces, routing, etc over to the 4215s? I talked to the TAC and they told me to use the migration wizard in FMC. However, this only seems to support 1100s and 2100s to 3100s, and when we run the wizard, the 4125s don't show up. I was also going to try to use the push config option but that gives me an error that the models and interfaces don't match.

If there's no way to do this, we're going to have to do it manually, which would be time consuming.

Thanks.

Re: FTD 4100 to 4200 migration in FMC

Marvin Rhoads — Tue, 03 Jun 2025 16:54:35 GMT

4100 series model migration will be introduced in the next major release of FMC this fall (target ca. September-October).

For now, the device configuration would need to be manually configured. ACP, NAT, VPN etc. can just be added to the new devices once that first part is done.

Re: FTD 4100 to 4200 migration in FMC

ben.levin1 — Thu, 05 Jun 2025 18:48:36 GMT

Thanks for the info!

Re: FTD 4100 to 4200 migration in FMC

m-webster — Wed, 16 Jul 2025 07:56:37 GMT

Marvin, is this release still coming in September / October? If you could post any links about this release here, that would be great.

Re: FTD 4100 to 4200 migration in FMC

m-webster — Wed, 16 Jul 2025 08:21:11 GMT

for reference, I need the migration tool to migrate from 4120 to 4125.

Thanks

Re: FTD 4100 to 4200 migration in FMC

Marvin Rhoads — Wed, 16 Jul 2025 17:43:18 GMT

@m-webster 4120 to 4125 will not be a natively supported migration path. You would have to build the device configuration fresh for the 4125 and then assign the ACP, NAT, platform policies to the new 4125. Any VPN (S2S and RA) would likewise need to be reconfigured in FMC to point to the new firewall.

More details will be posted when the new release comes out - currently still projected for September / October 2025 but subject to change by Cisco.

Re: FTD 4100 to 4200 migration in FMC

m-webster — Thu, 17 Jul 2025 06:52:49 GMT

Another Q that has come up, can you build the new FTD config on FMC without de registering the old kit? It has come to light that FMC may not like 2 devices (not a HA pair) having the same interface IPs.

Thanks,

Mitch.

Re: FTD 4100 to 4200 migration in FMC

Marvin Rhoads — Thu, 17 Jul 2025 07:01:35 GMT

As long as you are using the management interface for registration and have unique IPs there, you can build the new FTD(s) using the exact same config as the old one(s).

Re: FTD 4100 to 4200 migration in FMC

m-webster — Thu, 17 Jul 2025 07:04:37 GMT

Thanks Marvin

Re: FTD 4100 to 4200 migration in FMC

wimorton — Tue, 09 Sep 2025 21:04:58 GMT

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/migration/threat-defense/b_secure-firewall-threat-defense-model-migration-761.html

Re: FTD 4100 to 4200 migration in FMC

AhmadAmro — Sat, 11 Oct 2025 16:15:26 GMT

I am attempting to migrate from an existing FTD 4120 (running version 7.2.10) to a new FTD 4215 (running version 7.4.2). My primary method for this migration is using the "Migrate Threat Defense Devices" feature within Cisco Secure Firewall Management Center (FMC 7.6.2). However, each attempt to perform the migration results in the following error message:
"Threat Defense Model Migration Migration from PL-HQ-FTD-HA cannot proceed because of an internal error. Contact Cisco TAC."

I have already opened a case with Cisco TAC regarding this "internal error," but I'm looking for community insights or similar experiences while awaiting their definitive solution. Migration Tool Failure: The core issue is the persistent "internal error" when using the official migration tool. CLI Restrictions on 7.4.2: Due to increased CLI restrictions in FTD 7.4.2, manually configuring interfaces, routes, and other network settings on the new 4215 directly via the command line is significantly hindered compared to previous versions. This makes a manual configuration approach very difficult.

> system support diagnostic-cli
> enable
Password:
# conf terminal

ERROR: % Invalid input detected at '^' marker.

Re: FTD 4100 to 4200 migration in FMC

Marvin Rhoads — Mon, 13 Oct 2025 13:09:46 GMT

@AhmadAmro is your FMC at 7.6.2? It was only with FMC 7.6 that 4100 series was added as a source device type (and 4200 series as a target). Is your 4215 a native or multi-instance type configuration? H ave you considered running it with the current suggested release (7.6.2.1)?

The cli restrictions regarding manual configuration have been present with all versions of FTD ever, whether locally-managed or FMC-managed.

Re: FTD 4100 to 4200 migration in FMC

AhmadAmro — Sun, 02 Nov 2025 22:48:03 GMT

@Marvin Rhoads

Is your FMC at 7.6.2? FMC version 7.6.2

Is your 4215 a native or multi-instance type configuration? Native

Have you considered running it with the current suggested release (7.6.2.1)? no current version 7.6.2

The cli restrictions regarding manual configuration have been present with all versions of FTD ever, whether locally-managed or FMC-managed.

Re: FTD 4100 to 4200 migration in FMC

Marvin Rhoads — Mon, 03 Nov 2025 13:53:23 GMT

@AhmadAmro I notice your source appears to be an HA pair. Is your target also already configured as HA?

Assuming you have met all the other prerequisites (link below), then you are best off working with your TAC engineer to resolve the issue. Do please let us know the eventual resolution.

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/migration/threat-defense/b_secure-firewall-threat-defense-model-migration-761.html#limitations-for-secure-firewall-threat-defense-model-migration

Re: FTD 4100 to 4200 migration in FMC

AhmadAmro — Mon, 03 Nov 2025 15:15:34 GMT

Hello @Marvin Rhoads I’ve completed the upgrade to version 7.6.2.1, but unfortunately, I’m still encountering the same error.

Regarding the prerequisites:

I don’t have a multi-instance setup.
The source is configured as HA.
I had reviewed the prerequisites beforehand and didn’t find any additional steps required in this scenario.

It also seems that TAC support is not very familiar with the migration process—they appear to be troubleshooting it the same way I am

Re: FTD 4100 to 4200 migration in FMC

Marvin Rhoads — Wed, 05 Nov 2025 04:21:31 GMT

Sorry to hear that TAC is struggling to support your resolution. At this point, I can only suggest that you request escalation of your case with them.

Re: FTD 4100 to 4200 migration in FMC

AhmadAmro — Fri, 16 Jan 2026 11:43:25 GMT

I wanted to update you regarding the migration. Cisco has shared several important points related to the issue we faced, and I’m sharing them here as they may help others encountering similar migration problems.

During their analysis, Cisco found a discrepancy in the HA_EXTN_DATA table on the FMC side. This inconsistency caused the static route configuration to fail during migration, which led to the model migration errors we observed. In their lab testing, Cisco identified a workaround: using “Refresh Node Status” on the HA pair before reattempting the model migration. This resolved the internal errors they previously saw.

Additionally, Cisco highlighted another issue that can cause migration validation failures. On our FTD-HA, interfaces Eth1/1 and Eth1/2 were showing an MTU value of “0”, which is invalid. MTU values must be between 64 and 9184. This will also need to be corrected to avoid migration errors.

It’s worth mentioning that I performed the same migration on other devices with the same version and platform series without any issues, which suggests the Cisco TAC findings are accurate for this specific case.

Action Plan from Cisco:

Perform Force Refresh Node Status on the HA pair
Correct the MTU values on Eth1/1 and Eth1/2
Re-attempt the model migration