Re: vFMC migration

Chess Norris · ‎04-14-2021

Hello,

I am helping a customer moving their vFMC to new hardware, but with the same network configuration.

I just wanted to verify that I don't miss anything when planning this:

The plan is to install the same FMC and VDB version on the new hardware. Take a config backup from the old FMC, shut it down and then restore the config to the new FMC.

Do I need to de-register the firewalls from the old FMC first (4xASA running firepower services) or will the connection be preserved since the FMC IP is the same?

Also, is there anything I need to think about regarding the licenses? Since this is firepower services devices and not FTD, I would guess that they are running classic license and not smart licenses.

Thanks

Chess

Marvin Rhoads · ‎04-14-2021

You should not have to deregister the Firepower service modules since the FMC IP address and sftunnel.conf (where the registration key is stored) remains the same.

You may have a problem with the Classic licenses being recognized as valid. I'm not sure how VMware handles the MAC address on a restored VM in a different ESXi host/cluster. The classic licensing key on an FMC is comprised of the internal model number ("66" for FMCv) plus MAC address of the appliance. So check that first and see how to proceed from there (i.e., you may need to rehost the licenses from software.cisco.com).

Chess Norris · ‎04-15-2021

Thanks Marvin. The migration is planned for next week. Will post an update after that.

/Chess

garrett.butler · ‎10-30-2021

Hi Chess, Marvin,

We are in a similar situation, and I was wondering if you had any update on how your process worked out?

Did you need to de-register the licenses and reapply due to a MAC address change?

Or were you able to assign the old MAC to the new migrated VM?

We have FMCv and I believe its MAC was "auto-generated" at time of deployment. I am wondering if it is possible to shutdown, and clone this VM to a new VM, and keep its UUID and MAC address the same (which I believe is the key to avoiding "license invalid" errors).

I ask because we are attempting an upgrade of FMCv, and last time it was a total failure, it had to be rebuilt from scratch, and also licenses had to be reapplied when it was finally rebuilt.

In case of catastrophic failure of the original FMCv (attempting upgrade from 6.6.4 to 7.0.1) - I am hoping we can just shutdown the failed, and then we can spin up the "clone" and it should work OK, without any licensing issue? If we keep cloned VM shutdown on same exact ESXi host, and set MAC manually the same as the last VM's "auto-generated" MAC?

Thanks in advance for any insights!

garrett.butler · ‎12-12-2021

I wanted to provide an update on my own experience.

FMCv 6.6.4 moved to FMCv 7.0.1 (main reason for upgrade is to use SAML authentication with Microsoft Azure AD):

Were we able to assign the old MAC to the new migrated VM?

Yes.

Did we need to re-host the licenses and reapply due to a MAC address change?

No, we kept the same MAC.

By editing the .vmx file manually and forcing to keep the same exact MAC address, we avoided licensing issues. We were able to shutdown, and clone the 6.6 FMCv. And then power on the clone and it took over management of all devices and authorized all licensing fine.

We then proceeded to upgrade, and fortunately this time around we did not meet any issues with the upgrade from 6.6.4 directly to 7.0.1

(there was one issue where ASA's Firepower SFR modules were not getting the SNMP Platform Settings from FMC, but no issues with the FTDs yet... after the upgrade of FMC and the SFR module on all the ASAs, we had SNMP trap/polling issues, SNMP platform settings not applying. I believe this was fixed manually by edit in each ASA SFR module snmp.conf)

We upgraded 6.6.4 to 7.0.1 FMCv and all devices in order to take advantage of Anyconnect SAML 2.0 / MFA features (using MS Azure).

The new solution has been working now for 1+ month with no issues. It is working as expected.

*** One note -- If you want users to get the "Pick an account" dialog (when connecting to Anyconnect VPN) where they can select from their signed-in Windows "Work Accounts" (without having to re-enter both username & password) --- make sure to DISABLE the 'Force IdP re-authentication" requirement when configuring the AAA object for the SAML Single Sign-On.

Marvin Rhoads · ‎12-12-2021

@garrett.butler thanks for sharing!

rhuysmans · ‎04-27-2021

Hi,

I have a customer who want to upgrade their ESXi server from version 6.7 to 7.0. They are running a FMCv on the current v6.7 and they're wondering if the FMCv is supported on ESXi v7.0. I've looked at the release notes and they only specify that v6.7 is the latest version that's supported, however the date on these release notes are a bit old.

Has anyone heard if the FMCv can run on ESXi version 7.0?

Many thanks.

Marvin Rhoads · ‎10-30-2021

FMC 7.0 explicitly introduced support for ESXi 7.0.

https://www.cisco.com/c/en/us/td/docs/security/firepower/70/relnotes/firepower-release-notes-700/compatibility.html#Cisco_Reference.dita_880ff7b8-3e59-48e7-ac60-781d3b4b8f4c

That said, FMC 6.7 should also run on ESXi 7.0 - it's just that Cisco doesn't test and certify all combinations and permutations of product-hypervisor.