Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
680
Views
0
Helpful
9
Replies

Secure Firewall Migration Tool - to migrate ipsec vpn tunnels

fmugambi
Spotlight
Spotlight

‎09-25-2023 02:46 AM

Hello Family,

Hope you are well,

Needed help figure out how to migrate IPsec tunnels from one FTD to another using Secure Firewall Migration Tool .

What do i need to worry/cater for to ensure seamless migration - no downtime.

Thank you.

0 Helpful
9 Replies 9

balaji.bandi
Hall of Fame
Hall of Fame

‎09-25-2023 03:54 AM

Migration tool only move the config from OLD to new - it does not do the cutover automatically.

how many tunnels we are considering here.

if you Looking to Migrate from exiting FTD to new FTD ( are you going to use same IP address space and physical connection here ) in this case any way you need downtime to turn off old FTD and Move to new FTD.

Other case if you parallel build new FTD then if the remote site have dual trunel you can build new tunnel with new FTD and Move the traffic using prefered VPN as new one.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

fmugambi
Spotlight
Spotlight

‎09-25-2023 04:50 AM

I have two FTDs, managed by one FMC. currently all ipsec tunnels 40 of them sit on one FTD. I wanted to move this tunnels across the FTDs on a need basis. The two FTDs are in different locations, so different IPs, for the zones, but objects can remain same coz the two ftds have ospf hence both have routes. issue is to move these tunnels, and still have traffic flow through without any outside party reconfiguring anything.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to fmugambi

‎09-25-2023 05:14 AM

The migration tool only supports migrating all or none from an FDM-managed to FMC-managed device when migrating FTD configurations. So, you will have to rebuild them one-by-one on the target FTD.

0 Helpful

fmugambi
Spotlight
Spotlight

‎09-25-2023 11:06 PM

so its not possible to "automate" migrating say ipsec tunnel configurations from one ftd to another, both managed by same FMC. one has to manually recreate the tunnels on the other ftd?

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to fmugambi

‎09-26-2023 12:04 AM

in short answer No not possible.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to fmugambi

‎09-26-2023 01:23 AM

It may be possible to automate the migration - using the API. But not using the Cisco Firewall Migration tool.

0 Helpful

fmugambi
Spotlight
Spotlight

‎09-26-2023 12:06 AM

thank you for the feedback and your time, I appreciate.

0 Helpful

rasabrah
Cisco Employee
Cisco Employee

‎03-31-2024 10:27 PM

Hi, 

Are there any recommendations for migrating from a policy-based VPN to a route-based VPN on an ASA or an FMC? Route-based VPNs are highly recommended to easily set up SD-WAN networks, and have a lot of advantages compared to policy-based VPNs on the ASA and FMC.

I am a technical writer for ASA and FMC VPN features and we are trying to compile a list of recommendations for our customers on how to migrate  policy-based VPNs to route-based VPNs.

Any pointers would be great.

Thanks,

Rashmy

 

 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to rasabrah

‎04-01-2024 07:18 AM

@rasabrah 

That would be a useful feature for the FMT but not an easy one to implement. Changing from one type to another involves quite a bit of thought and analysis that is for now a human-only process.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card