09-25-2023 02:46 AM
Hello Family,
Hope you are well,
Needed help figure out how to migrate IPsec tunnels from one FTD to another using Secure Firewall Migration Tool .
What do i need to worry/cater for to ensure seamless migration - no downtime.
Thank you.
09-25-2023 03:54 AM
Migration tool only move the config from OLD to new - it does not do the cutover automatically.
how many tunnels we are considering here.
if you Looking to Migrate from exiting FTD to new FTD ( are you going to use same IP address space and physical connection here ) in this case any way you need downtime to turn off old FTD and Move to new FTD.
Other case if you parallel build new FTD then if the remote site have dual trunel you can build new tunnel with new FTD and Move the traffic using prefered VPN as new one.
09-25-2023 04:50 AM
I have two FTDs, managed by one FMC. currently all ipsec tunnels 40 of them sit on one FTD. I wanted to move this tunnels across the FTDs on a need basis. The two FTDs are in different locations, so different IPs, for the zones, but objects can remain same coz the two ftds have ospf hence both have routes. issue is to move these tunnels, and still have traffic flow through without any outside party reconfiguring anything.
09-25-2023 05:14 AM
The migration tool only supports migrating all or none from an FDM-managed to FMC-managed device when migrating FTD configurations. So, you will have to rebuild them one-by-one on the target FTD.
09-25-2023 11:06 PM
so its not possible to "automate" migrating say ipsec tunnel configurations from one ftd to another, both managed by same FMC. one has to manually recreate the tunnels on the other ftd?
09-26-2023 12:04 AM
in short answer No not possible.
09-26-2023 01:23 AM
It may be possible to automate the migration - using the API. But not using the Cisco Firewall Migration tool.
09-26-2023 12:06 AM
thank you for the feedback and your time, I appreciate.
03-31-2024 10:27 PM
Hi,
Are there any recommendations for migrating from a policy-based VPN to a route-based VPN on an ASA or an FMC? Route-based VPNs are highly recommended to easily set up SD-WAN networks, and have a lot of advantages compared to policy-based VPNs on the ASA and FMC.
I am a technical writer for ASA and FMC VPN features and we are trying to compile a list of recommendations for our customers on how to migrate policy-based VPNs to route-based VPNs.
Any pointers would be great.
Thanks,
Rashmy
04-01-2024 07:18 AM
That would be a useful feature for the FMT but not an easy one to implement. Changing from one type to another involves quite a bit of thought and analysis that is for now a human-only process.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide