Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Expedition migrates ASA vxlan protocol to wrong port

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Expedition migrates ASA vxlan protocol to wrong port

L0 Member

Hi,

we had an issue with a connection after migrating from ASA to PaloAlto Firewall because Expedition was migrating the vxlan protocol to the wrong port udp/6500, but it should be udp/4789.

 

Can you fix this bug?

 

Regards

Regards
Roman
6 REPLIES 6

L6 Presenter

Hi @crabevil  Can you please open a TAC case and attach the original ciscoasa config in the case, please write an email to fwmigrate@paloaltonetworks.com with the TAC  case# 

Hi @lychiang,

how to open a TAC Case for Expedition?

In the costumer support portal there is no possability to open a TAC case for product type Expedition.

 


NOTE
: Expedition is supported by the community as best effort. The Palo Alto Networks TAC does not provide support, so please post your questions in the Expedition discussionsarea.

Regards
Roman

Hi @crabevil  You will select pan-os , and select serial# of the device, then you can open the case, the case is opened so you can secure share files with expedition team. 

L4 Transporter

Hi @crabevil,

 
Thanks for reaching out.
 
As I included in the answer by email.
 
Expedition has a mapping file for each vendor to map known vendor services with defined port/protocol service or Palo Alto Networks app_id.
 
You can edit your file but take in mind it will be overridden once you update Expedition.
 
The file is located in /var/www/html/contents/parsers on the VM and named like 'vendor' - services.csv or 'vendor' - groups.csv (for group service objects).
 
I will include the vxlan service in the default mapping file for cisco in release 1.2.64.
 
Let me know if you have any further questions,
 
Best regards,

L1 Bithead

Interesting - I just had the same issue. migrated the obj "domain" to udp 6500. This wasn't from an ASA but from an old FWSM.

Hi @MichaelBredell,

Thanks for reaching out.

You could use the same solution above adding the domain service.
Also if you share with us the mapping you used we could add it as default value. 

Best regards,

David

  • 2056 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!