- Reference doc on Cisco website
- Migrate legacy Firepower licenses to new FMC mac address on the license portal, download new licenses
- Backup primary and standby FMC
- SSH to FMC and move the backup file from /var/sf/backup/ to /var/common/
- Go to https://<FMC>/ddd/#ATFileDownload;deviceId=0 on primary and standby and enter backup filename to download
- 2 ways to upload the files
- Upload files to new FMC from the GUI backup/restore page
OR
-
- Use Winscp to copy the file over (update Winscp if you get ssh key error)
- creating scpuser in cli, copy backup files to new FMCs into /tmp folder
- move from /tmp to /var/sf/backup
- Use Winscp to copy the file over (update Winscp if you get ssh key error)
- Run migration script
- New Primary FMC migration from CIMC will run similarly to below, then just stop, and reboot. Reason – CIMC IP is ALSO duplicated from Primary FMC so keep it in mind as it will create conflict. I had a new FMC CIMC in a different VLAN so to verify migration logs I had to connect the keyboard/monitor and change CIMC IP manually in BIOS to get back in.
-
- New Standby FMC migration from CIMC will run similarly to below and may fail into this error.
-
- Further details can be retrieved from /var/log/restore.log. Since it is happening on Standby FMC I’ve ignored it. After the migration, I can break HA / re-image / redo HA to fix this issue.
- When ready shut current FMC mgmt ports and no-shut new ones. Do new primary FMC first. Validate connectivity and device status.
- Post-migration issues
- Devices took a bit to turn state from Disable to Active.
- New standby FMC hardware version in GUI showed 2500. CIMC still had it as 2600.
- to fix run this script while HA paused on FMC with incorrect version “/usr/local/sf/etc/model-info/configure-model.sh“
- Standard licenses had to be re-imported
- Smart licenses on FTDs were reset to Base. I had to touch each one to turn Malware/Threat/URL back on.
- There were no changes to push after the migration and connection logs were showing fields with “Invalid ID” instead of a name. After making minor changes to the policy and reapplying policies error went away.