Interface is showing invalid after migrating from cisco asa firewall

Reply
Highlighted
L2 Linker

Interface is showing invalid after migrating from cisco asa firewall

Hi,

 

I have migrated the Cisco ASA firewall backup to PA NGFW.

After importing the backup, the validation error showing the interface is already in use.

 

OsamaKhan_0-1603287621399.png

 

can anybody, help me how to resolve this issue.

 

 

Thanks and Regards,
OK.

Accepted Solutions
Highlighted
Cyber Elite

Hello again.

 

I thought this group already explained, but let's try again.

 

Open the xml with an editor like Notepad++

 

Search for all instances of your interfaces

When you open the xml, you will probably find duplicate entries.

 

For the sake of example... I will only use ethernet1/1

 

<devices>
<entry name="localhost.localdomain">
<network>
<interface>
<ethernet>
<entry name="ethernet1/1">
<layer3>
<ndp-proxy>
<enabled>no</enabled>
</ndp-proxy>
<ip>
<entry name="172.26.0.1/16"/>
</ip>
<lldp>
<enable>no</enable>
</lldp>
</layer3>
</entry>

 

The above if the config for ethernet1/1....

 

Having a single instance of Ethernet1/1 is correct.

 

But, if you look in your config.. you may have a 2nd instance

 

<devices>
<entry name="localhost.localdomain">
<network>
<interface>
<ethernet>
<entry name="ethernet1/1">
<layer3>
<ndp-proxy>
<enabled>no</enabled>
</ndp-proxy>
<ip>
<entry name="172.26.0.1/16"/>
</ip>
<lldp>
<enable>no</enable>
</lldp>
</layer3>
</entry>

 

OR

 

You could have duplicate elsewhere.. like routing table:

 

<virtual-router>
<entry name="default">
<interface>
<member>ethernet1/1</member>
<member>ethernet1/2</member>
<member>ethernet1/3</member>

 

<member>ethernet1/1</member>
<member>ethernet1/2</member>
<member>ethernet1/3</member>

</interface>

 

Notice that I duplicated (for example my eth1/1 through eth1/3)

 

You just need to roll up your sleeves, and manually remove your duplicate interface configs, wherever they are, in your config.

 

 

 

 

Help the community: Like helpful comments and mark solutions

View solution in original post


All Replies
Highlighted
Cyber Elite

It appears to me, that the the PANW FW may already have interfaces that exist

 

OR

 

The migration utility that you used created what would be duplicate entries within the XML.

 

If this is the issue, then you will need to carefully edit the XML and load in a clean config.

Welcome to Professional Services! 

Help the community: Like helpful comments and mark solutions
Highlighted
L2 Linker

Hi @SteveCantwell

 

Is it possible to remove duplicate entries from XML?

 

Can you share KB article or guide to resolve it 

Thanks and Regards,
OK.
Highlighted
Cyber Elite

Hello,

Yes you can change the XML, however be cautious as to what you are editing in/out. Did you use the import tool, expedition? I always prefer to build my firewall from scratch so I become familiar with the new config and make sure I dont transfer any old policies/configs that are no longer valid. But I understand if its a big config that is not possible. It does seem that the import is attempting to create new interfaces and it should not.

 

https://www.paloaltonetworks.com/products/secure-the-network/next-generation-firewall/migration-tool

 

Regards,

Highlighted
L0 Member

Please help regarding Interface is showing invalid after migrating from cisco as a firewall walgreenslistens

Highlighted
Cyber Elite

Hello again.

 

I thought this group already explained, but let's try again.

 

Open the xml with an editor like Notepad++

 

Search for all instances of your interfaces

When you open the xml, you will probably find duplicate entries.

 

For the sake of example... I will only use ethernet1/1

 

<devices>
<entry name="localhost.localdomain">
<network>
<interface>
<ethernet>
<entry name="ethernet1/1">
<layer3>
<ndp-proxy>
<enabled>no</enabled>
</ndp-proxy>
<ip>
<entry name="172.26.0.1/16"/>
</ip>
<lldp>
<enable>no</enable>
</lldp>
</layer3>
</entry>

 

The above if the config for ethernet1/1....

 

Having a single instance of Ethernet1/1 is correct.

 

But, if you look in your config.. you may have a 2nd instance

 

<devices>
<entry name="localhost.localdomain">
<network>
<interface>
<ethernet>
<entry name="ethernet1/1">
<layer3>
<ndp-proxy>
<enabled>no</enabled>
</ndp-proxy>
<ip>
<entry name="172.26.0.1/16"/>
</ip>
<lldp>
<enable>no</enable>
</lldp>
</layer3>
</entry>

 

OR

 

You could have duplicate elsewhere.. like routing table:

 

<virtual-router>
<entry name="default">
<interface>
<member>ethernet1/1</member>
<member>ethernet1/2</member>
<member>ethernet1/3</member>

 

<member>ethernet1/1</member>
<member>ethernet1/2</member>
<member>ethernet1/3</member>

</interface>

 

Notice that I duplicated (for example my eth1/1 through eth1/3)

 

You just need to roll up your sleeves, and manually remove your duplicate interface configs, wherever they are, in your config.

 

 

 

 

Help the community: Like helpful comments and mark solutions

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!