Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
882
Views
0
Helpful
1
Replies

Firewall Migration tool for ASA5555-X HA context to HA FP1140 FTDs

andrew.butterworth
Level 7
Level 7

‎07-29-2021 07:56 AM

I need to migrate a single context from a HA ASA5555-X to a HA pair of FP1140's running FTD.  The ASA5555-X is running 9.1(2) in multi-context mode and the FP1140s are running FTD 6.6.4 and managed by a vFMC running 6.6.4.  The FP1140 FTD's have already been configured for HA from the FMC, however no other configuration has been applied.

The source configuration consists of various sub-interfaces from two parent port-channels allocated to the context (interfaces port-channel1.10, port-channel1.20, port-channel2.30, port-channel2.30 for example).  The replacement FTD will have a single port-channel with all the sub-interfaces on that (port-channel1).

My plan is to tweak the configuration file to change all the 'port-channel2.x' interfaces to be 'port-channel1.x' and then use that as the input to the migration tool.  I haven't had much success with the previous versions of the migration tool, however it looks a bit more mature now.  The source configuration doesn't have any remote access or site-to-site VPNs configured so its just objects, ACLs and NAT.

 

I can lab most of this up with vFTD's and a vFMC but don't have loads of time allocated to the project.  I'm unsure about the HA part and what happens to the configuration of the destination FTDs - i.e. do they get wiped?  I know I can import the configuration without automatically applying it to a destination FTD, however I'm not sure how that will work out for me?

 

Anyone familiar with the migration tool and in particular port-channels and HA?

 

Cheers

Andy

0 Helpful
1 Reply 1

Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-29-2021 10:10 AM

Yes, I've done a couple of migrations with those features. FMT is doing a fine job at it lately.

You will need to first make the target pair stand alone and then use the Primary unit as the target for deployment. The tool does not support having an HA pair as the target. You can rejoin them into HA after deploying.

Interface mapping can be done, including mapping to subinterfaces. If you're using port-channels, create them first on the target FTD so that they are available objects to which you will map the source interfaces.

For multiple contexts, the tool will prompt you which source context you want to use when you use the connect to ASA option for a live migration.

For site-site VPN it will migrate everything but you will have to supply the tool any pre-shared key manually as it won't automatically pull that from the source config. There's a point in the migration where you will be prompted (a bit subtly in my opinion - I missed it on my first try) to provide the PSK(s).

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card