Our current FMC is managing 2x FTD 2110 in HA pair. The standby FTD suddenly went dead and Cisco has provided us a new FTD via RMA. Before the FTD went dead, we were also planning to migrate our FMC to new physical server(because it was having lots of issues). We want to achieve two goals at once,
a) Replace the dead FTD in HA pair
b) Also migrate FMC to new Physical server.
Below is our plan of attack. i request if anyone could comment on it.
1: Spin up a new FMC on new physical server.
2: Take configuration backup from old(current) FMC. (Remember we are only taking access policy backup via import/export not the entire FMC backup via backup/restore. Because its a very basic deployment, with just a single access policy).
3: Upload the configuration backup to new FMC << ==== So far we have been able to come this far. Actually, we were planning for migration in next couple of weeks but then this FTD failure happened, now our plan has slightly changed (knowing that we have new FTD device in our hand).
4: Register newly received FTD ( Cisco RMA one) to new FMC. Push exactly same interface and routing configuration to this FTD and wait proceed with cutover.
5: During downtime, just swap cables from current primary FTD (the only member alive in HA pair) to new FTD.
6: Test our connectivity.
7: Break HA pair in old FMC, delete the live FTD (current primary FTD) from there, register it with new FMC and add it to HA pair along with new FTD.
The old FMC is registered with cisco smart account. I am not sure, how(and at what time) do we migrate licenses from old FMC to new FMC?. Before the cutover or during the cutover?
It may work the way you propose but personally I'd complete restoration of the RMA'd appliance before migrating.
I've generally found it advantageous to change as few variables as possible during a migration.
Regarding the Smart licenses - you should deregister the old appliance and register the new one prior to deploying and policies (including a basic sync without any actual changes) to the devices. Once you deregister you will not be able to deploy (from the old FMC) any policies that depended on the previously assigned licenses
When you say "register the new one prior to deploying and policies" do you mean we should do that right before step 4?? Actually our plan is to enable evaluation license so we are able to register FTD, Push policies and verify. once done we will de-register the licenses from old FMC (just in case we had to roll-back). Is there any harm with going ahead with basic verification with evaluation license??
My second question regarding licenses is , In our environment we have two FMCs and 3 FTD.
- 1st FMC managing 2xFTD2110 in HA pair. - 2nd FMC managing 1xFTD2110 standalone.
We have purchased an "SF-FMC-VMW-2-K9" with each FMC, which i believe should be sufficient for 3 FTDs, However, in our smart account we could only see "purchased = 2 & used =2 " (screenshot attached). Not sure if smart account is showing licenses against each FMC or it is against each FTD. or does that mean our licenses are not loaded properly to our smart account properly.
You may be able to use the evaluation license temporarily as you suggest. I hadn't considered that option when replying.
Your two FMC 2-unit licenses technically only give you right to use on 2 each FMCs each managing 2 devices. If you combine to one FMC managing 3 devices that FMC must have the next tier (or higher) license to be compliant licensing-wise. (It doesn't make a lot of sense but that is the terms of service for those licenses.)
The Smart portal doesn't check whether your FMC is 2-, 10-, or 25-device license. So there's not currently "technical enforcement" of that particular aspect of the terms.