10-21-2020 06:49 AM
Hi,
I have migrated the Cisco ASA firewall backup to PA NGFW.
After importing the backup, the validation error showing the interface is already in use.
can anybody, help me how to resolve this issue.
10-26-2020 03:04 AM
Hello again.
I thought this group already explained, but let's try again.
Open the xml with an editor like Notepad++
Search for all instances of your interfaces
When you open the xml, you will probably find duplicate entries.
For the sake of example... I will only use ethernet1/1
<devices>
<entry name="localhost.localdomain">
<network>
<interface>
<ethernet>
<entry name="ethernet1/1">
<layer3>
<ndp-proxy>
<enabled>no</enabled>
</ndp-proxy>
<ip>
<entry name="172.26.0.1/16"/>
</ip>
<lldp>
<enable>no</enable>
</lldp>
</layer3>
</entry>
The above if the config for ethernet1/1....
Having a single instance of Ethernet1/1 is correct.
But, if you look in your config.. you may have a 2nd instance
<devices>
<entry name="localhost.localdomain">
<network>
<interface>
<ethernet>
<entry name="ethernet1/1">
<layer3>
<ndp-proxy>
<enabled>no</enabled>
</ndp-proxy>
<ip>
<entry name="172.26.0.1/16"/>
</ip>
<lldp>
<enable>no</enable>
</lldp>
</layer3>
</entry>
OR
You could have duplicate elsewhere.. like routing table:
<virtual-router>
<entry name="default">
<interface>
<member>ethernet1/1</member>
<member>ethernet1/2</member>
<member>ethernet1/3</member>
<member>ethernet1/1</member>
<member>ethernet1/2</member>
<member>ethernet1/3</member>
</interface>
Notice that I duplicated (for example my eth1/1 through eth1/3)
You just need to roll up your sleeves, and manually remove your duplicate interface configs, wherever they are, in your config.
10-21-2020 12:32 PM
It appears to me, that the the PANW FW may already have interfaces that exist
OR
The migration utility that you used created what would be duplicate entries within the XML.
If this is the issue, then you will need to carefully edit the XML and load in a clean config.
Welcome to Professional Services! 😛
10-21-2020 10:36 PM
Hi @S.Cantwell
Is it possible to remove duplicate entries from XML?
Can you share KB article or guide to resolve it
10-22-2020 03:15 PM
Hello,
Yes you can change the XML, however be cautious as to what you are editing in/out. Did you use the import tool, expedition? I always prefer to build my firewall from scratch so I become familiar with the new config and make sure I dont transfer any old policies/configs that are no longer valid. But I understand if its a big config that is not possible. It does seem that the import is attempting to create new interfaces and it should not.
https://www.paloaltonetworks.com/products/secure-the-network/next-generation-firewall/migration-tool
Regards,
10-26-2020 03:04 AM
Hello again.
I thought this group already explained, but let's try again.
Open the xml with an editor like Notepad++
Search for all instances of your interfaces
When you open the xml, you will probably find duplicate entries.
For the sake of example... I will only use ethernet1/1
<devices>
<entry name="localhost.localdomain">
<network>
<interface>
<ethernet>
<entry name="ethernet1/1">
<layer3>
<ndp-proxy>
<enabled>no</enabled>
</ndp-proxy>
<ip>
<entry name="172.26.0.1/16"/>
</ip>
<lldp>
<enable>no</enable>
</lldp>
</layer3>
</entry>
The above if the config for ethernet1/1....
Having a single instance of Ethernet1/1 is correct.
But, if you look in your config.. you may have a 2nd instance
<devices>
<entry name="localhost.localdomain">
<network>
<interface>
<ethernet>
<entry name="ethernet1/1">
<layer3>
<ndp-proxy>
<enabled>no</enabled>
</ndp-proxy>
<ip>
<entry name="172.26.0.1/16"/>
</ip>
<lldp>
<enable>no</enable>
</lldp>
</layer3>
</entry>
OR
You could have duplicate elsewhere.. like routing table:
<virtual-router>
<entry name="default">
<interface>
<member>ethernet1/1</member>
<member>ethernet1/2</member>
<member>ethernet1/3</member>
<member>ethernet1/1</member>
<member>ethernet1/2</member>
<member>ethernet1/3</member>
</interface>
Notice that I duplicated (for example my eth1/1 through eth1/3)
You just need to roll up your sleeves, and manually remove your duplicate interface configs, wherever they are, in your config.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
