cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
886
Views
5
Helpful
11
Replies

ASA to FTD migration failing when selecting RAVPN.

I am attempting to migrate an ASA configuration to FTD and when I run the migration tool and the below selected the parsing fails.

NetworkMonkey101_1-1726268119346.png

 

When I deselect RAVPN option the parsing is successful. What could be causing this?

I have checked the licencing on the FMC and it is missing the Anyconnect features as does the licencing portal, would this cause this migration to fail at this step?

I have add the Anyconnect win/linux/mac profiles to the FMC. Is anything else required to start the migration of RAVPN?

11 Replies 11

marce1000
VIP
VIP

 

  - Check this thread : https://community.cisco.com/t5/network-security/can-t-migrate-ravpn-config-from-asa-to-ftd/td-p/4772716

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Thanks for the reply. I have a single context and used the live connect so not sure if this thread is related. Parsing fails when RAVPN option is selected and returns a list index error seen below. When I deselect RAVPN the parsing is successful.

NetworkMonkey101_0-1726568434273.png

 

The error message "list index out of range" typically indicates that you're trying to access an element in a list that doesn't exist.

Check for any syntax errors or inconsistencies. Verify that the RAVPN profile names and settings are valid and match the corresponding profiles in your FTD environment. As you mentioned, the AnyConnect license might be missing or incorrect. Check the FMC and licensing portal to confirm that the necessary licenses are in place. I cant think of anything else.

 
please do not forget to rate.

I will check the config for syntax errors. The FMC/FTD having AnyConnect Apex licensing selected but it is showing out of compliance would this prevent the migration tool from parsing the config?

I think yes but I am not sure of this.

please do not forget to rate.

I have not copied profiles across from the current ASA configuration. Does this need to be done before parsing?

These are the profiles I have found on the ASA

anyconnect profiles Mobile_ACP disk0:/Mobile_ACP.xml
anyconnect profiles PortalUser_client_profile disk0:/PortalUser_client_profile.xml
anyconnect profiles Resilient_ACP disk0:/Resilient_ACP.xml

 

Is there a guide on how to do this?

NetworkMonkey101_0-1726570885151.png

 

 

Yes, you need to copy the AnyConnect profiles from your current ASA configuration to the FMC before running the migration tool. These profiles contain important settings and configurations that are necessary for the successful migration of your AnyConnect VPN. Without them, the migration tool might not be able to properly configure the AnyConnect VPN features on your FTD.

please do not forget to rate.

Ok, I will look into this and re-run the migration tool

In this video, Sameer reviews how you can migrate an ASA Remote Access Virtual Private Network (VPN) configuration to Cisco Secure Firewall Threat Defense using the Firewall Migration Tool. Timestamps: 0:11 - Extract ASA Information & Select Target 1:19 - RAVPN PreRequisites, Optimization, Review

Hi,

I have a list of the profiles and am attempting to upload them to the FMC via objects > vpn > anyconnect file.

Here are files I have pulled off the ASA.

NetworkMonkey101_1-1726730978133.png

How do I determine which file type to use for each of the above?

NetworkMonkey101_0-1726730944995.png

 

you have to select anyconnect profile

please do not forget to rate.
Review Cisco Networking for a $25 gift card