Migration tool downgrade

Reply
L2 Linker

Migration tool downgrade

Hi,

 

Is there a way to do a downgrade of the migration tool appliance, or to export an existing project to a different migration tool appliance?

I'm suffering from a bug in 3.3.14 that was not there in 3.3.10 would like to avoid doing too much work over again.

 

Kind regards,

Arne

L7 Applicator

Re: Migration tool downgrade

hi,

 

What bug? Can you describe it please?

L2 Linker

Re: Migration tool downgrade

I'm doing a conversion from Juniper, and the security rules are copied over nicely and have names like "Rule ID 5237". On the NAT rulebase however this is changed to "Nat interface RuleID 131" where the rule ID refers to it's position in the rulebase. The order is also out of sync.. I did another cluster with the same devices/version on the 3.3.10 version and didn't have that problem back then.

Kr,

Arne

L7 Applicator

Re: Migration tool downgrade

The nat rule names are related to the nat type. If the zone destination needs to be calculated by the interface associated to the egress interface then the rule is named like "Nat interface XXx"  if the nat type is a DIP the rule will be named "Nat DIP dip_id xx" So this was always the case. This behaviour is the same for a long time...

 

the Rule ID is related to the internal ID we assign to each rule (not the order). But if you want to rename the rules you can by using the right-click over one of your nat rules and select Rule Names. then you can remove all the Rule names and create them again by selecting the option Rename to Rule XX. this will create all the names based in the Order like "Rule 1, Rule 2, etc"

 

Hope this helps !

L2 Linker

Re: Migration tool downgrade

No actually on the previous cluster I did I have a NAT policy called "Nat interface RuleID-432" and a security policy called "Rule ID 432", which matches to the Juniper config file line:

set policy id 432 from "***_Hosting" to "****_Internet" "*******iis14" "Any" "http-s" nat src permit log

 

But now, for a similar Juniper config file line:

"set policy id 1947 from "*****_Lan" to "****_Tars" "Any" "*****-docushare" "Specialinternet" nat src dip-id 10 permit log "

 

 

 

It created a NAT rule called "Nat DIP RuleID 2656" (where 2656 is the actual position in the Juniper rulebase) and a security rule called "Rule ID 1947". Which confuses the hell out of us at the moment. :-)

Would you be able to join a webex to see for yourself?

L7 Applicator

Re: Migration tool downgrade

I see. Problem is for security Rules we respect the policy ID (is exists) but we assign an internal ID. For all the nats we found we reference the rules by the internal ID not by the policy ID provided by Juniper...  We need to think best approach to fix this without to break anything :)

 

As a workaround it will work for you to rename the Security rules toRule XX then the nats will be related to the Rule position (or Internal ID) in the case you have only uploaded one config in your project.... Sorry 

L2 Linker

Re: Migration tool downgrade

Well the funny bit is that I converted a Juniper config where it went fine, the NAT rule ID's there match the security rule ID's. If I take that very same Juniper config and try it again it goes wrong too, on different versions of the migration tool, leaving me wondering what I did different on which version.

 

I see your suggestion to rename the rules but it goes slightly beyond that. The order in which the NAT rules are positioned in the NAT rulebase doesn't seem to match the original config order. I'll see what happens to the NAT order when I rename the security policies (although some people are not going to like that) and get back to you.

L7 Applicator

Re: Migration tool downgrade

Agree. We have to find a better way to approach this.

 

To clarify the IDs now If you rename the security policies with Rule XX and your config is the first one imported in your project the Internal ID will match the new Rule XX where XX is the position in this case the position and the ID will be the same. All the Nats that came from a security Rule like DIP or NAT SRC for instance are named with the Security Rule ID.... Only with this scenario will match (by now) the Security Rule ID with the Nat Rule ID. Hope this helps ...

L2 Linker

Re: Migration tool downgrade

Could you help out maybe with a short remote session anyway? I'm trying to do the rightclick to do the rename of the rules (XX) but after clicking it (on one / bunch of rules) it doesn't seem to do anything at all..

L7 Applicator

Re: Migration tool downgrade

Have you uses the remove the name first? If the rule actually has a name the tool will not override it. :) After that if doesnt work I will arrange a Gotomeeting :) Regards

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!