Troubleshoot Threat Defense Migration to Cloud-delivered Firewall Management Center

This section details how to troubleshoot specific errors that may occur when migrating threat defense devices to cloud-delivered Firewall Management Center.

Configuration export from On-Premises Firewall Management Center failed

Cause:

  • Disk space is full or nearly full, preventing the export process from being completed.

  • Concurrent operations such as device upgrade, upgrade revert, moving a device between domains, device import and export, device template import and export, or policy analysis are running in on-premises management center.

  • Connectivity issues exist between the on-premises management center and Security Cloud Control.

Workaround:

  1. Perform these actions according to your requirements:

    • Ensure that at least 10% of disk space is available to accommodate the creation of necessary export files.

    • Ensure that no parallel operations are running during the migration.

    • Ensure that the network connection between on-premises management center and Security Cloud Control is stable and reliable.

  2. Retry the migration.

  3. If the issue persists, contact Cisco TAC.

Failed to initiate import in Security Cloud Control

Cause:

Import can fail if:

  • Disk space is full or nearly full, preventing the import process from being completed.

  • Concurrent operations such as device upgrade, upgrade revert, moving a device between domains, device import and export, device template import and export, or policy analysis are running in cdFMC.

Workaround:

  1. Ensure that no other operations are running during import and retry migration.

  2. If the issue persists, contact Cisco TAC.

Failed to retrieve the most recent device information from On-Premises Firewall Management Center

Cause:

  • Network connectivity issues.

  • DNS settings.

  • Device synchronization issues.

Workaround:

  1. Perform these actions according to your requirements:

    • Ensure that the network connection between Security Cloud Control and on-premises management center is stable.

    • Ensure that DNS settings for resolving Firewall Management Center hostnames are correct.

    • Ensure network access for threat defense devices through TCP ports 8305 and 443.

    • Ensure outbound connectivity to port 443 to Security Cloud Control and cdFMC hosts.

    • Ensure that the devices are synchronized without any pending changes.

  2. Retry migration.

  3. If the issue persists, contact Cisco TAC.

Failed to import configuration from On-Premises Firewall Management Center

Cause:

The On-Premises Firewall Management Center configuration may include policies or object configurations that are unsupported or are conflicting, leading to migration failure.

Workaround:

  1. Check the On-Premises Firewall Management Center configuration for unsupported policies or object configurations to ensure compatibility.

  2. Retry migration.

  3. If the issue persists, contact Cisco TAC.

Failed to complete device discovery

Cause:

Conflicts or unhandled scenarios exist in the device configuration or within Security Cloud Control's internal operations, such as incompatible settings or unsupported conditions that Security Cloud Control does not support.

Workaround:

  1. Perform these actions according to your requirements:

    • Inspect the device configuration in On-Premises Firewall Management Center for incompatible settings or unsupported scenarios that Security Cloud Control does not support and make necessary updates.

    • Check system logs for errors and confirm that both the On-Premises Firewall Management Center and the device are functioning properly.

  2. Retry migration.

  3. If the issue persists, contact Cisco TAC.

Failed to connect the device to Security Cloud Control

Cause:

Possible causes include the device being powered off, network connectivity issues, or a firewall blocking the necessary ports.

Workaround:

  1. Perform these actions according to your requirements:

    • Confirm that the device is powered on, and network connection is stable. Look for Firewall issues, blocked ports, and incorrect cabling.

    • Ensure that your device has the correct DNS server configuration for resolving Security Cloud Control hostnames.

  2. Retry migration.

  3. If the issue persists, contact Cisco TAC.

Failed to register the device, causing the manager to revert to On-Premises Firewall Management Center

Cause:

The device failed to register with Cloud-delivered Firewall Management Center during migration, causing the system to revert the device manager to On-Premises Firewall Management Center. This may be because of connectivity issues.

Workaround:

  1. Perform these actions according to your requirements:

    • Verify DNS settings for resolving Security Cloud Control hostnames.

    • Ensure that network access is enabled for TCP port 8305, allowing the threat defense devices to connect to the Cloud-delivered Firewall Management Center.

    • Allow outbound HTTPS connections on threat defense devices to reach the Cloud-delivered Firewall Management Center and upload configurations to Security Cloud Control.

  2. Retry migration.

  3. If the issue persists, contact Cisco TAC.

Failed to unregister the device due to an ongoing deployment

Cause:

Migration failed because a deployment is in progress on the device.

Workaround:

  1. Perform these actions according to your requirements:

    • Wait for the ongoing deployment to finish.

    • Confirm that the device is stable, with no pending tasks.

  2. Retry migration.

  3. If the issue persists, contact Cisco TAC for support.

Report generation failed after successful FTD migration to Cloud-delivered Firewall Management Center

Cause:

The report generation failure may be because of temporary system glitches.

Workaround:

  • Generate the report after some time to overcome the temporary system issues that might have caused the initial failure.

  • If the issue persists, contact Cisco TAC.

Failed to initiate FTD migration to Cloud-delivered Firewall Management Center

Cause:

  • Ongoing migration in the source manager.

  • Unsupported device version.

  • Incorrect DNS and network configuration.

Workaround:

  1. Perform these actions according to your requirements:

    • Confirm that no other migration jobs are active in the same source manager.

    • Verify that the devices are on supported versions, have no pending changes to be deployed, and are active.

    • Ensure that the DNS settings are correct, and network access is available to communicate with cdFMC.

  2. If the issue persists, contact Cisco TAC.

Failed to deploy changes from Security Cloud Control

Cause:

Device migration to cdFMC failed during deployment.

Workaround:

  1. Perform these actions according to your requirements:

    • Attempt the deployment again from the Deployment page on cdFMC.

    • Check for out-of-band changes, which are changes made directly in the device, and not through Security Cloud Control. If out-of-band changes exist, they may interfere with the deployment. Use Security Cloud Control's Check for changes functionality to identify and address out-of-band changes.

    • Ensure that all the configurations are supported and do not conflict with the current device settings.

    • Verify that the device is onboarded and reachable by both the Security Cloud Control and management center, with the necessary internet access and communication capabilities.

  2. If the issue persists, contact Cisco TAC.

Failed to commit FTD migration to Cloud-delivered Firewall Management Center

Cause:

  • The 14-day evaluation period has expired.

  • Threat Defense devices have been reverted to or deleted from the On-Premises Firewall Management Center, preventing further actions.

Workaround:

  1. Try committing again to address any transient network or device issues.

  2. If the issue persists, contact Cisco TAC.

Failed to retain device on On-Premises Firewall Management Center for Analytics

Cause:

If your source manager is an On-Premises Firewall Management Center 1000/2500/4500, it cannot support retaining for Analytics because of the limited resources.

Workaround:

  1. Ensure that the Retain on On-Prem FMC for Analytics option is selected during the migration process.

  2. If the issue persists, contact Cisco TAC.

Failed to revert the device manager to On-Premises Firewall Management Center

Cause:

  • The device cannot be reverted if the 14-day evaluation period has expired.

  • Threat Defense devices have been reverted to or deleted from the On-Premises Firewall Management Center, preventing further actions.

Workaround:

  1. Perform these actions according to your requirements:

    • Try committing the changes again to address the temporary server or network issues.

    • If changes have occurred in the high availability configuration after migration, reset the devices to their original migration state before attempting to commit.

  2. If the issue persists, contact Cisco TAC.

Failed to configure Security Cloud Control as the configuration manager

Cause:

The device already has a configuration manager.

Workaround:

  1. If another configuration manager is present, remove it manually and retry the migration.

  2. If the issue persists, contact Cisco TAC.

Failed to commit migration; the device is ineligible

Cause:

  • The device has pending changes that have to be deployed.

  • The device to be migrated is part of FTD high availability (HA), but the current state is invalid, for example, it is in Active/Active state.

  • The device to be migrated is connected in Analytics-only mode.

  • Cluster migration is supported only for FTDs version 7.4 and above.

  • Migration for chassis and MI FTDs on models 3100/4200 is currently not supported.

Workaround:

  1. Perform these actions according to your requirements:

    • Verify that the device is up to date with On-Premises Firewall Management Center, then retry migration.

    • Ensure all pending changes on the devices are deployed.

    • Confirm that the threat defense device is in a valid state, such as Active/Standby. If the status isn't correctly reflected in On-Premises Firewall Management Center, use the Force refresh node status option on the device listing page to update the correct status on management center.

  2. If the issue persists, contact Cisco TAC.

Failed to import site-to-site VPN policies from On-Premises Firewall Management Center

Cause:

The failure may be due to various factors, such as VPN policy configuration or network connectivity issues.

Workaround:

  1. Perform these actions according to your requirements:

    • Verify your site-to-site VPN policies in On-Premises Firewall Management Center to ensure there are no configuration errors. If object overrides are used within network objects, manually add these overrides to Security Cloud Control after migration.

    • Ensure that both the On-Premises Firewall Management Center and the targeted device have stable and reliable network connections to Security Cloud Control.

    • If the authentication type is set as Pre-shared Automatic Key in On-Premises Firewall Management Center, Security Cloud Control generates a new pre-shared key for the VPN post-migration deployment without disrupting existing tunnels.

  2. Retry migration.

  3. If the issue persists, contact Cisco TAC.

Failed to migrate as all devices within the topology need to be migrated simultaneously

Cause:

Migrating multiple devices, particularly those within the same network topology, requires synchronizing their migrations to avoid inconsistencies and potential errors. All devices should be migrated within the same timeframe.

Workaround:

  1. Perform these actions according to your requirements:

    • Devices registered for Analytics -only with the On-Premises Firewall Management Center or those with pending changes are not eligible for migration.

    • When selecting a device associated with a site-to-site VPN topology, Security Cloud Control automatically selects peer devices from the same or different topology, as all devices in the topology must be migrated together for success. Extranet devices, if any, are not listed by the wizard.

    • The S2S VPN Topology column shows the number of site-to-site VPN topologies a device is part of. Click the topology link to view the topologies and devices migrating with the selected device. This field does not apply to devices outside the site-to-site VPN topology.

    • A high-availability pair is shown as a single node. Select this node to include both active and standby devices in the migration.

  2. If the issue persists, contact Cisco TAC.

HTTP status code 201 (created) found in On-Premises Firewall Management Center response

Cause:

The Secure Device Connector (SDC) version is not compatible.

Workaround:

  1. Ensure that the SDC is upgraded to version 202205191350 or later.

    • In the left pane, click Administration > Integrations > Secure ConnectorsAdministration > Secure Connectors.

    • Click the SDC to view the existing version in the Details pane on the right.

    • Update your Secure Device Connector.