Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
573
Views
2
Helpful
3
Replies

ASA to FTD Migration tool not working

tahscolony
Level 1
Level 1

‎07-11-2024 12:51 PM

To use the tool, you need an FMC with the device you want to migrate to registered to. Right?  Otherwise, how will it get to the device. To register it, you need an IP, which is on the management interface, or converged mode. 

So, why is it when going through everything in the tool and it comes time to push to device it then fails?

Blocked
Error while pushing interface: Management interface (Management1/1) cannot be modified when device is in converged mode.
 
I tried it several ways with similar failures all pointing to the management interface.  Can't change the name of the interface, or you get the above error. You can't use the tool if its in an instance mode, it fails because of a converged mode.
 
So how the heck will I get this to work? My ACL and Objects are far too many to do by hand, as well as a ton of PTP VPN's to configure.

 

0 Helpful
3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-12-2024 12:29 AM

What hardware models and software versions are you migrating from and to?

tahscolony
Level 1
Level 1
In response to Marvin Rhoads

‎07-29-2024 11:30 AM

The FMT has a LOT of bugs to work out still and it is not ready for primetime.  What I discovered is when the ASA is configured for Management VRF, and things like Radius, Tacacs, Accounting, Monitoring are using the Management interface routing table, None of it will migrate and cause errors, and the Management interface of the firewall configuration wants to overwrite the embedded M0/0, and thats where the error happened.  I wound up removing all references to management from the configuration before it would fully complete. 

 

Another Not ready for Primetime issue is it will NOT migrate outbound ACL, so all the DMZ objects do not get migrated, and I have HUNDREDS of them for a couple servers that I now have to manually add. I have 3 DMZ that only have inbound objects.  Seems it would more prudent to be able to migrate the outbound ACL since anything going through to a DMZ would be going OUT the interface to the DMZ servers.

alfred.thyri
Level 1
Level 1
In response to tahscolony

‎10-29-2024 08:05 AM

thanks for posting - just stumbled over the same issue while migrating ASA to FTD.

I simply removed the management interface configuration from the ASA config and it worked. No issue with that, since the mgmt interface is different on the FTD..

In general I like the migration tool, error handling could be better. I would like to be able to correct things on the fly and not start from step1 each time.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card