Cisco FMC || Hardware migration notes

  • Reference doc on Cisco website
  • Migrate legacy Firepower licenses to new FMC mac address on the license portal, download new licenses
  • Backup primary and standby FMC
  • SSH to FMC and move the backup file from /var/sf/backup/  to /var/common/
  • Go to https://<FMC>/ddd/#ATFileDownload;deviceId=0 on primary and standby and enter backup filename to download
  • 2 ways to upload the files
    • Upload files to new FMC from the GUI backup/restore page


    • Use Winscp to copy the file over (update Winscp if you get ssh key error)
      • creating scpuser in cli, copy backup files to new FMCs into /tmp folder
      • move from /tmp to /var/sf/backup
  • Run migration script
    • New Primary FMC migration from CIMC will run similarly to below, then just stop, and reboot. Reason – CIMC IP is ALSO duplicated from Primary FMC so keep it in mind as it will create conflict. I had a new FMC CIMC in a different VLAN so to verify migration logs I had to connect the keyboard/monitor and change CIMC IP manually in BIOS to get back in.

    • New Standby FMC migration from CIMC will run similarly to below and may fail into this error.

    • Further details can be retrieved from /var/log/restore.log. Since it is happening on Standby FMC I’ve ignored it. After the migration, I  can break HA / re-image / redo HA to fix this issue.

  • When ready shut current FMC mgmt ports and no-shut new ones. Do new primary FMC first. Validate connectivity and device status.
  • Post-migration issues
    • Devices took a bit to turn state from Disable to Active.
    • New standby FMC hardware version in GUI showed 2500. CIMC still had it as 2600.
      • to fix run this script while HA paused on FMC with incorrect version “/usr/local/sf/etc/model-info/
    • Standard licenses had to be re-imported
    • Smart licenses on FTDs were reset to Base. I had to touch each one to turn Malware/Threat/URL back on.
    • There were no changes to push after the migration and connection logs were showing fields with “Invalid ID” instead of a name. After making minor changes to the policy and reapplying policies error went away.



















Leave a reply:

Your email address will not be published.

Site Footer

Sliding Sidebar