Unable to change VR for interface on FTD

NetworkMonkey101 · ‎01-08-2025

I am migrating 2 ASA and 1 FTD into a single FTD managed in FMC. I have created 3 VRs on the FMC and after migrating the first configuration across I am attempting to change the inside and outside interface from that configuration into its correct VR. I get the error seen below. Why is this and what is the recommended process for doing such a migration?

Marvin Rhoads · ‎01-08-2025

I believe the Migration Tool only supports VRFs in the case of migrating from a multi-context ASA. For migrating multiple ASAs, there's not a clean methodology to push them onto a single multiple VRF target device. You would do one of them as the Global VRF and then manually create and configure the other two. You could migrate the configurations without a target device to at least get most of the rules pushed over but would then need to manually combine things in FMC.

The other, cleaner, method would be to setup the target FTD appliance as multi-instance (assuming the hardware is capable). Then each source device can migrate to a unique target instance which essentially is treated as a separate firewall on the FMC.

ccieexpert · ‎01-08-2025

your use case of using VR with VPN is not really supported. The interface where VPN termaintes(typically outside) has to be in the global VR. https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/virtual-routing-for-firepower-threat-defense.html#Cisco_Task.dita_cf87b9dd-5f88-4cf4-b55e-507a69e1f8fd

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/740/management-center-device-config-74/routing-vrf.html#id_121522

but you should be able to use VTI where the tunnel source is the FVRF which can be the global and the data inside vrf is the user VR..