ASA to FTD Migration tool not working

tahscolony · ‎07-11-2024

To use the tool, you need an FMC with the device you want to migrate to registered to. Right? Otherwise, how will it get to the device. To register it, you need an IP, which is on the management interface, or converged mode.

So, why is it when going through everything in the tool and it comes time to push to device it then fails?

Blocked

Error while pushing interface: Management interface (Management1/1) cannot be modified when device is in converged mode.

I tried it several ways with similar failures all pointing to the management interface. Can't change the name of the interface, or you get the above error. You can't use the tool if its in an instance mode, it fails because of a converged mode.

So how the heck will I get this to work? My ACL and Objects are far too many to do by hand, as well as a ton of PTP VPN's to configure.

Marvin Rhoads · ‎07-12-2024

What hardware models and software versions are you migrating from and to?

tahscolony · ‎07-29-2024

The FMT has a LOT of bugs to work out still and it is not ready for primetime. What I discovered is when the ASA is configured for Management VRF, and things like Radius, Tacacs, Accounting, Monitoring are using the Management interface routing table, None of it will migrate and cause errors, and the Management interface of the firewall configuration wants to overwrite the embedded M0/0, and thats where the error happened. I wound up removing all references to management from the configuration before it would fully complete.

Another Not ready for Primetime issue is it will NOT migrate outbound ACL, so all the DMZ objects do not get migrated, and I have HUNDREDS of them for a couple servers that I now have to manually add. I have 3 DMZ that only have inbound objects. Seems it would more prudent to be able to migrate the outbound ACL since anything going through to a DMZ would be going OUT the interface to the DMZ servers.