cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1214
Views
5
Helpful
5
Replies
Highlighted
Community Manager

Firepower Migration Tool - AMA

This topic is a chance to clarify your questions about Firepower Migration Tool and its capabilities. Cisco Firepower Migration Tool is a free software image used for migration from Adaptive Security Appliance (ASA) 8.4 or later, Check Point (r75-r77.30 & r80 and later), and Palo alto Network (6.1+) to Cisco Firepower Threat Defense (FTD).

To participate in this event, please use the Join the Discussion : Cisco Ask the Expertbutton below to ask your questions

Ask questions from Thursday, August 20 to Friday, August 28 2020

Featured Experts
shrinad.jpgShrinad Trivedi is a Consulting Engineer with Cisco’s Security team in Bangalore, India. He works with Cisco in the Network Security domain with Firewall and VPN products. He has delivered multiple trainings on handling third party migrations and firewall migration capabilities using Firepower Migration Tool. Shrinad holds a bachelor’s degree in information technology and a CCIE certification in Security (#45631).

adganjoo.jpgAditya Ganjoo is a Technical Marketing Engineer in Bangalore, India. He has been working with Cisco for the past nine years in security domains such as Firewall, VPN, and Authentication, Authorization, and Accounting (AAA). Aditya has delivered trainings on ASA and VPN technologies. He holds a bachelor’s degree in information technology and a CCIE certification in Security (CCIE#58938). He has been a consistent contributor on Cisco Community and has delivered multiple sessions at Cisco Live.

For more information, visit the Network Security category.

Do you know you  can get answers before opening a TAC case by visiting the Cisco Community.  

  

**Helpful votes Encourage Participation! **
Please be sure to rate the Answers to Questions
5 REPLIES 5
Highlighted

Hi,

 

We have recently migrated from ASA to FTD(9300 SM56) and we use FMC 4600.

After the migration, we are now facing rule-base capacity related issues. We just have 18K odd rules. The system does not allow adding more rules. We did not have this problem while we were on ASA. The error is

"Rule validation failed due to insufficient resources causing deployment failure. Please consider reducing the rule set..." In the troubleshooting details, it shows that the process stops at "FWRuleChecker validation..." with an error "Failed to parse identity rules file - 153".

 

Can you please through some light on this? We did not have any issues during or immediately after migration but this issue cropped up after a while. Sorry, my question may not be exactly on the migration tool but related to ASA-FTD migration and hope, you'll help me in giving some direction. Where can I find the capacity limits for FTD platform and FMC appliance?

 

Thanks much in advance!
- Krishna

Highlighted

Hi Krishna,

Thanks for reaching out on the Community Page. Can you please follow the steps below :

1. Login to the FTD via the SSH session, in your case 9300 FTD device and share the output of below command.
2. Can you share the output of > show access-list | include elements

Thanks,
Shrinad
Highlighted

@shritriv Hi Shrinad, 

Sorry for my delayed response. Here is the output that you asked for:

       access-list CSM_FW_ACL_; 683042 elements; name hash: 0x4a69e3f3

So, the count of 683K should be much lesser than the 6M limit that this platform can handle?

What else can we check with this, please? 

 

Thanks for your attention!

 

Regards,

Krishna

Highlighted

Hi Krishan,

 

The number of ACE's on both FTD and ASA are definitely less than the supported number on this platform.

 

This issue can be due to other factors like available memory on the device etc.

 

I would suggest to open a TAC case and get this troubleshot.

 

Regards,

 

Aditya

Highlighted

Thanks Aditya. The TAC case was already there and it is not helping much. It's not going in the right direction. 

The push from TAC is still to optimize the rules. While that can be done, it should not prevent new rules being added. 

 

Nevertheless, thanks for your confirmation!

 

Regards,

Krishna

 

Content for Community-Ad