Re-register FMC to new smart account without firewall downtime

jgrassler · ‎12-05-2023

Hello Cisco Community!

/apologies if wrong location, not sure if this could would fit better somewhere else

Quick summary:
We are using a single FPR 1140 Thread Defense device connected to a FMC virtual (kvm) version 7.0.6.
I need to move the FMC registration to a new smart account without causing downtime or a reconfiguration challenges on the firewall. What is the correct procedure?

It has been running via smart licensing and 3year term license on Smart Account "A" with licenses :
FPR1140 URL Filtering
Firepower MCv Device License
Firepower Threat Defense Base Features (this we assume comes with the firepower device automatically ? )
FPR1140 Threat Defense Threat Protection

The licenses will expire in ~25 days but we already bought new licenses on the new Smart account "B" that are active now and ready to get used:
FPR1140 URL Filtering
FPR1140 Threat Defense Threat Protection
Firepower MCv Device License

How do i go about deregistering and re-registering the FMC device correctly at account B without impacting our company business?

The FMC VM itself has internet access trough the FPR firewall so there is some fear of causing a chicken-egg scenario when running into issues during the move. We have a fallback lte router ready for this case

The options i can think of and could do:
- deregistering on the fmc gui
- deregistering on the old smart account
- making a offline VM backup for worstcase scenario
- physically disconnect the firewall management port during the migration in case it would get impacted by the FMC instance losing smart licensing for a while
- un-assigning the licenses on fmc first, then moving the FMC registration to the new smart account and reassign smart licenses
- make a cisco ticket and see if they have options to move the "product instance" to a new smart account via their systems.
(not virtual account but other smart account)

What is the correct procedure, how does the firewall act when losing its smart licenses?
I asked around a it and it does not sound like there will be any issues, the device should only run out of compliance for some time and maybe only block new deployments during the out of compliance phase?

Then again i couldn't really find a description of what happens.
Either in-use firewalls don't often migrate to new smart accounts (only virtual ones) or it is a non issue and just some clicks without impact?

Thankful for any input, i need to reduce the outage risk to a minimum an if it is not possible plan and announce the outage.

Thank you and kind regards
Josef Grassler

jaydee201 · ‎05-28-2024

Hi there,

Did you ever get an answer to this? I have a very similar situation currently. Just worrying that if I re-register the FMC from 1 smart account, will it cause downtime before re-registering with a new smart account.

jgrassler · ‎06-04-2024

hi jaydee
this is what i wrote down back then:

disconnected mgmt LAN port of firewall, so FMC and FTD cannot communicate during migration (to paranoidly avoid the license de-registration process to alter the firewall)
de-register FMC from old smart account, register to new smart account via GUI
connect mgmt port, assigned extra licenses, performed successful deployment

so it seems there where no issues at all, but please don't quote me on that
.
The whole experience was forgotten quick as during the next boot (to sanity check if everything is fine)
the device suffered a hardware failure and never came back up again and we went trough RMA. To be fair it was the first reboot in ~18 months or so..
We bridged the time with a quick Opensense setup.

While 99% chance the hardware failure on reboot is unrelated to the swap, you need to have a backup and also emergency plan

kind regards, Josef