topic Re: Migration using FMT with different FMC in Network Security

Migration using FMT with different FMC

dimdim12 — Fri, 28 Nov 2025 09:39:58 GMT

Hello everyone,

I’m currently performing a migration from Cisco ASA with FirePOWER Services (ASA + SFR) to Cisco FTD using the Secure Firewall Migration Tool (version 7.7.10.4), and I’ve run into a limitation that I’m not sure how to properly handle.

Environment

Source Firewall: ASA with FirePOWER Services
Source FMC (managing the SFR module): FMC version 7.2
Target Firewall: FTD (already deployed and registered)
Target FMC: FMC version 7.6
ASA currently handles:
- Site-to-Site IPSec VPN
- Gateway interfaces
- Routing
- DHCP server

Issue

When selecting the FMC during the migration process, the tool displays the message:

“The Source and the Target FMC has to be the same FMC unit.”

This means I cannot select the new FMC (7.6) where my FTD is currently registered.
If I choose “Proceed without FTD”, the tool warns that interfaces, routing, and S2S VPNs will not be migrated, which is a critical requirement for my environment.

Questions

Is it supported to temporarily unregister the FTD from FMC 7.6 and register it to FMC 7.2 only for the purpose of running the migration?
After the migration and deployment are completed, can I safely unregister the FTD from FMC 7.2 and register it back to FMC 7.6 without losing the migrated configuration?
Is there any official Cisco documentation confirming this workflow?
Is there a recommended or alternative best practice for this scenario when the source and target FMC versions are different?

Any guidance or best practices from the community would be highly appreciated.
Thank you!

Re: Migration using FMT with different FMC

sakathik — Fri, 28 Nov 2025 14:18:38 GMT

This is the default behavior of FMT, where the source and target FMC must be the same device.

Please refer to the ASA with FPS migration workflow guide:
https://www.cisco.com/c/en/us/td/docs/security/firepower/migration-tool/migration-guide-fps/fmt-migration-guide-asa-fps/asawithfps2ftd-with-fp-migration-tool/b_Migration_Guide_ASA2FTD_chapter_0111.html#id_68145

It is not recommended—and generally not supported—to temporarily unregister an FTD from FMC 7.6 and register it to an older FMC version (such as FMC 7.2), even for migration or FPS-policy mapping. Doing so may cause registration failures, version incompatibilities, or unsupported behavior.

As a workaround, please migrate the ASA configuration to the target FMC/FTD and then manually configure the FPS rules on the FMC/FTD.

Note that device-level configurations (Interfaces, Routes, S2S VPN, DHCP, and SNMP) will not be migrated if the ‘without FTD’ option is used.

Re: Migration using FMT with different FMC

Marvin Rhoads — Sat, 29 Nov 2025 07:55:57 GMT

@dimdim12 - Definitely follow the advice and guidance that @sakathik provided.

I have found in the couple of dozen migrations I have done for customers that most old ASAs with Firepower service modules have minimal configurations on them. Thus not a lot is lost by handling those policies separately outside the tool workflow.