So, this is what im wondering though, as we have a complete spare device, I am hoping that we can join it in as one of the units, and then just deploy the config to it. Then once thats done, repeat with the second device in FMC and then we can work towards upgrading them to latest gold star.

Would that work do you think? or will we be in an issue where we are unable to deploy from FMC, as one of the FTDs is missing.

I dont have spare hardware to lab this up so it makes it quite hard to test this in a lab.

If you replace an offline device with a physical spare, that should work. If a managed device is not reachable though, that device will continue to show as pending deployment.

thanks for that.

would we just need to name the spare device the same as it is in FMC? Is that all it uses for the registration? or is it tied to the IP address? and for example, you could change the name but as long as the device is the same model, and the ip matches its name can be totally different to whats registered in FMC? Or is there some other unique identifier that is used for the registration and thats what it uses to track the device?

EDIT: As the spare is a complete blank device, what would be the best path forward with that? if we give it the same hostname, and IP as FMC is expecting, will it just start talking to FMC and we can do a deploy to push out all the interfaces, NAT, S2S, Policies etc...??

Jason.

When you add a devices in FMC, even if it is replacing one formerly defined, you need to newly associate the ACP with it. Then, after registration and discovery, you would need to re-associate device configuration, NAT, VPN, platform, etc. to the device and deploy once again,

Ok, so i guess that rules out just simply inserting the NEW device in and it picking up the config of the old and we can just DEPLOY it.

I wonder if we can deploy the new device as a new FTD in FMC, and then pull its config using the FMC option in Devices -> Device -> General? This will hopefully mirror the old source unit.

Im going to give this a shot next, as it might work to pull over all the NAT and S2S config. I will report back.

EDIT: Hmm, perhaps not.

to clarify, the CUBE unit is our production unit and the TEST is the target. they are the same device. and the config on the TEST is bare (other than joined into the same FMC) I have cloned our fmc so that i can experiment in a bit of a sandbox environment, and changed the IP's etc as needed. but, no-bueno thus far.

EDIT EDIT:

So, i just configured the interfaces on the TEST unit to match the same as the office PROD unit, and then i was able to pull the config from office PROD -> TEST... and then was able to deploy it successfully.

Looking at the ```show running-config``` for the unit, it appears to have worked, as it has put in the DHCP scopes and connection types for things. I dont have a S2S tunnel to test this with though, so am unsure if that will work? But this is atleast a good starting point. what are your thoughts on this approach @Marvin Rhoads ??

I am taking a similar approach on a project of my own.

I have not yet reached to point were i can test S2S and RA VPN configs with the approach but, from what I have researched, this is the least painful way forward ...and one that works within Cisco's supported (albeit clunky) migration path.

so, an update to my progress,

I tested this at the office with our production and spare 1010, using a new FMC, did a backup and restore and then added the spare 1010 to that dev instance. it worked perfectly. The only catch was that the interfaces needed to be created first (which seems at odds with pulling / cloning a config, but i digress)

So, i go to our customers office to test it with their spare 2130 unit, and perform all the same steps and was greeted with this error. I am unable to find ANY information on this in the documentation or even looking around on google or reddit. We checked multiple times and can confirm that the interfaces are configured EXACTLY the same between the units.

The only difference is that the units are about 4 years apart in age. However i dont know if that would make a difference. Al of the speed configurations on the interfaces (and all other tabs for that matter) are exactly the same between the units.

So, im at a loss here. open to any suggestions if you have them @Marvin Rhoads 

You cannot restore a 1010 configuration onto a 2130 device. The backup / restore process requires the exact same hardware.

Otherwise you will have to build the device-specific settings from scratch (basically anything that's setup under the device page tabs - interfaces, zone mapping, routing, license assignment etc.).

There were some changes in the 2100 series interface definitions that I recall would lead to some cosmetic error messages on FMC after upgrading even a given appliance. I recall they were related to some default commands Cisco changed per interface. Even though the capabilities are the same across releases, how FMC parsed the running-config changed. You may be hitting a previously-unknown symptom of that bug.

@jbates5873 this was the bug: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa14518

...and I discussed it in this thread: https://community.cisco.com/t5/network-security/fmc-health-alert-not-clearable-interface-status-modified/td-p/4528153

Hi Marvin, thanks for that.

After investigation looking through a ```sh int```, we noticed that one of the interfaces on the SOURCE was set to 100MBPS (although the interface setting in FMC was AUTO) and when replicated to the TARGET, it was set at 1000MBPS.

We manually assigned the TARGET interface down to 100MBPS to match, and even after multiple deploys it did not work, We are now going down the manual path of applying the configs and policies, and not using the config push / pull.

Thanks for the assist though.