Migrate VPNs from ASA

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Migrate VPNs from ASA

L1 Bithead

Hi Guys, 


I'm migrating to a PA 3220 running PAN-OS 8.1.5. I migrated the Cisco config using the migration tool  3.3.10.

Policies, Zones, Interfaces, NATs, everything was migrated. However, site to site VPNs weren't.


Doesn't the migration tool migrate site to site VPNs?

Am I missing something?



L3 Networker

Have you tried this in Expedition?  MT3 has not been updated in years and will not be.

Your S2S tunnels should migrate.



I'm going to install Expedition and migrate again. Thanks.

Hi mate, 
unfortunately, it didn't work either using Expedition. None IPSec tunnel was imported

Any idea?


Can you contact us at fwmigrate at paloaltnetworks dot come to check it further?


Expedition should be able to import your VPNs, so we will check it.

it would be good to hear the general outcome of such exchanges.


i realize that you shouldn't reveal sensitive information, but tips on what the problem was and the general resolution would help others greatly.



The cisco parser in Expedition has been improved to understand and include more types of VPNs.

In the newest versions of Expedition this should be fixed.

thanks, that helps the rest of us know what happened.


i had a different problem: the VPNs migrated, but they were all invalid.


finally figured out that the IKE profiles weren't assigned so i had to select them then they were okay.


i had to figure this out myself: are there any guides that would have given me a clue?



You can check the migration workflow guide here:



Also you can send an email to fwmigrate at paloaltnetworks dot come to check this problem further.

Most probably that piece of information is not updated in your Manual.

Sorry for not having it updated enough.


yes, i used the guide, but it didn't say much about VPNs.


will keep in mind the option of fwmigrate dot com



don't get me wrong, it did a great job of converting overall. the logs were helpful, just had to figure out the correlation.


one thing: with the NAT rules, the warnings were connected when i edited, but not on the VPN, so it took me longer to track down the connection.







I will take a look into this

  • 12 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!