topic Re: Interface is showing invalid after migrating from cisco asa firewall in General Topics

Interface is showing invalid after migrating from cisco asa firewall

OsamaKhan — Wed, 21 Oct 2020 13:49:22 GMT

Hi,

I have migrated the Cisco ASA firewall backup to PA NGFW.

After importing the backup, the validation error showing the interface is already in use.

can anybody, help me how to resolve this issue.

Re: Interface is showing invalid after migrating from cisco asa firewall

S.Cantwell — Wed, 21 Oct 2020 19:32:26 GMT

It appears to me, that the the PANW FW may already have interfaces that exist

The migration utility that you used created what would be duplicate entries within the XML.

If this is the issue, then you will need to carefully edit the XML and load in a clean config.

Welcome to Professional Services! 😛

Re: Interface is showing invalid after migrating from cisco asa firewall

OsamaKhan — Thu, 22 Oct 2020 05:36:02 GMT

Hi @S.Cantwell

Is it possible to remove duplicate entries from XML?

Can you share KB article or guide to resolve it

Re: Interface is showing invalid after migrating from cisco asa firewall

OtakarKlier — Thu, 22 Oct 2020 22:15:47 GMT

Hello,

Yes you can change the XML, however be cautious as to what you are editing in/out. Did you use the import tool, expedition? I always prefer to build my firewall from scratch so I become familiar with the new config and make sure I dont transfer any old policies/configs that are no longer valid. But I understand if its a big config that is not possible. It does seem that the import is attempting to create new interfaces and it should not.

https://www.paloaltonetworks.com/products/secure-the-network/next-generation-firewall/migration-tool

Regards,

Re: Interface is showing invalid after migrating from cisco asa firewall

S.Cantwell — Mon, 26 Oct 2020 10:04:45 GMT

Hello again.

I thought this group already explained, but let's try again.

Open the xml with an editor like Notepad++

Search for all instances of your interfaces

When you open the xml, you will probably find duplicate entries.

For the sake of example... I will only use ethernet1/1

The above if the config for ethernet1/1....

Having a single instance of Ethernet1/1 is correct.

But, if you look in your config.. you may have a 2nd instance

You could have duplicate elsewhere.. like routing table:

<virtual-router>
<entry name="default">
<interface>
<member>ethernet1/1</member>
<member>ethernet1/2</member>
<member>ethernet1/3</member>

<member>ethernet1/1</member>
<member>ethernet1/2</member>
<member>ethernet1/3</member>

</interface>

Notice that I duplicated (for example my eth1/1 through eth1/3)

You just need to roll up your sleeves, and manually remove your duplicate interface configs, wherever they are, in your config.