Re: FMC2500 Migration

jep2810 · ‎07-23-2024

We planned to migrate from FMC2500 to FMC2700. Even though we have received the FMC2700 we have decided to make an intermediate step over FMCv because we want to make a whole new design and do not want to run on unsupported FMC2500 in the mean time.

After Migration we want to upgrade to version 7.2.8 (recommended) and with that we can manage some production FTD with version 6.6.x (really old I know)

But what if we later want to upgrade to 7.4 or even newer??

So my question is, can we migrate to 2 x FMCv?

Migrate the first normal (same IP/hostname)

On the second restore same backup file, but change the IP/Hostname and remove all 7.x FTDs before enabling network connectivity again?

Marvin Rhoads · ‎07-23-2024

It's possible but will be painful. Managed devices don't easily change the address of the managing FMC without some careful restoring device configuration and reapplying policies.

ccieexpert · ‎07-23-2024

I would suggest migrating one device at a time to the new FMC... like others have said migrating is a painful process.. i have done migrations to new FMC and the easiest was to do 1 or a few at a time to the new FMC, which reduces the risk.. Also you can work the new design on the new FMC 2700 and onboard one device at time. Lastly, you also need a FMCv license etc which is additonal cost. ofcourse they have a trial one that could be used..

Massimo Baschieri · ‎07-24-2024

Since I'm about to start a similar process I'm very interested to the topic, is the ip change which makes the migration process process painful or the migration from 2500 to virtual itself?

Isn't the cisco migration script of any help in this case?

Before migrating one device at a time you need to restore configuration to the target fmc, but restoring from different models is not supported afaik, how do you manage this?

Marvin Rhoads · ‎07-25-2024

When a device registers with an FMC for management, we see the FMC IP address (or NAT ID in some cases). Behind the scenes, there is a Universally Unique Identifier (UUID) by which the devices are linked. As long as you only change the IP of an existing FMC or go via the migration tool route, that UUID does not change. However, build a new FMC will create a new UUID. For that, the management and configuration process must begin as if from a completely unconfigured device. It can be done, but requires a fair amount of manual work and is most definitely service-affecting for the managed device.

Massimo Baschieri · ‎07-25-2024

That's also my knoledge, migration tool should take care of all of it, but I read about painful process and I got scared.

Did you already manage to migrate from a couple of fmc appliances in HA to a couple of vfmc?

Is it a seamless task like cisco documentation explains?

Marvin Rhoads · ‎07-26-2024

The migration tool takes care of preserving the UUID so that works fine.

luizsil · ‎07-27-2024

Hello,

The Hardware Migration tool keeps the same UUID, as it is based on the Backup from the original FMC.
Having 2 FMCs from the same Backup would in theory work just like you planned, but you will face an impossible to solve challenge with the Smart Account.
As soon as you restore the backup the communication with the smart account may be fine, as both FMCs will have the same certs, but once a renewal comes, and a new cert to authenticate will be generated, and only one of the FMCs will have the correct one.

This will make one of the FMCs lose every license, including Base License, Strong Encryption, etc...
Can you let us know what is the Models of your FTDs that are at 6.6.x ?