Interface is showing invalid after migrating from cisco asa firewall

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Interface is showing invalid after migrating from cisco asa firewall

L2 Linker

Hi,

 

I have migrated the Cisco ASA firewall backup to PA NGFW.

After importing the backup, the validation error showing the interface is already in use.

 

OsamaKhan_0-1603287621399.png

 

can anybody, help me how to resolve this issue.

 

 

Thanks and Regards,
OK.
1 accepted solution

Accepted Solutions

Hello again.

 

I thought this group already explained, but let's try again.

 

Open the xml with an editor like Notepad++

 

Search for all instances of your interfaces

When you open the xml, you will probably find duplicate entries.

 

For the sake of example... I will only use ethernet1/1

 

<devices>
<entry name="localhost.localdomain">
<network>
<interface>
<ethernet>
<entry name="ethernet1/1">
<layer3>
<ndp-proxy>
<enabled>no</enabled>
</ndp-proxy>
<ip>
<entry name="172.26.0.1/16"/>
</ip>
<lldp>
<enable>no</enable>
</lldp>
</layer3>
</entry>

 

The above if the config for ethernet1/1....

 

Having a single instance of Ethernet1/1 is correct.

 

But, if you look in your config.. you may have a 2nd instance

 

<devices>
<entry name="localhost.localdomain">
<network>
<interface>
<ethernet>
<entry name="ethernet1/1">
<layer3>
<ndp-proxy>
<enabled>no</enabled>
</ndp-proxy>
<ip>
<entry name="172.26.0.1/16"/>
</ip>
<lldp>
<enable>no</enable>
</lldp>
</layer3>
</entry>

 

OR

 

You could have duplicate elsewhere.. like routing table:

 

<virtual-router>
<entry name="default">
<interface>
<member>ethernet1/1</member>
<member>ethernet1/2</member>
<member>ethernet1/3</member>

 

<member>ethernet1/1</member>
<member>ethernet1/2</member>
<member>ethernet1/3</member>

</interface>

 

Notice that I duplicated (for example my eth1/1 through eth1/3)

 

You just need to roll up your sleeves, and manually remove your duplicate interface configs, wherever they are, in your config.

 

 

 

 

Please help out other users and “Accept as Solution” if a post helps solve your problem !

View solution in original post

4 REPLIES 4

Cyber Elite
Cyber Elite

It appears to me, that the the PANW FW may already have interfaces that exist

 

OR

 

The migration utility that you used created what would be duplicate entries within the XML.

 

If this is the issue, then you will need to carefully edit the XML and load in a clean config.

Welcome to Professional Services!  😛

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Hi @S.Cantwell

 

Is it possible to remove duplicate entries from XML?

 

Can you share KB article or guide to resolve it 

Thanks and Regards,
OK.

Hello,

Yes you can change the XML, however be cautious as to what you are editing in/out. Did you use the import tool, expedition? I always prefer to build my firewall from scratch so I become familiar with the new config and make sure I dont transfer any old policies/configs that are no longer valid. But I understand if its a big config that is not possible. It does seem that the import is attempting to create new interfaces and it should not.

 

https://www.paloaltonetworks.com/products/secure-the-network/next-generation-firewall/migration-tool

 

Regards,

Hello again.

 

I thought this group already explained, but let's try again.

 

Open the xml with an editor like Notepad++

 

Search for all instances of your interfaces

When you open the xml, you will probably find duplicate entries.

 

For the sake of example... I will only use ethernet1/1

 

<devices>
<entry name="localhost.localdomain">
<network>
<interface>
<ethernet>
<entry name="ethernet1/1">
<layer3>
<ndp-proxy>
<enabled>no</enabled>
</ndp-proxy>
<ip>
<entry name="172.26.0.1/16"/>
</ip>
<lldp>
<enable>no</enable>
</lldp>
</layer3>
</entry>

 

The above if the config for ethernet1/1....

 

Having a single instance of Ethernet1/1 is correct.

 

But, if you look in your config.. you may have a 2nd instance

 

<devices>
<entry name="localhost.localdomain">
<network>
<interface>
<ethernet>
<entry name="ethernet1/1">
<layer3>
<ndp-proxy>
<enabled>no</enabled>
</ndp-proxy>
<ip>
<entry name="172.26.0.1/16"/>
</ip>
<lldp>
<enable>no</enable>
</lldp>
</layer3>
</entry>

 

OR

 

You could have duplicate elsewhere.. like routing table:

 

<virtual-router>
<entry name="default">
<interface>
<member>ethernet1/1</member>
<member>ethernet1/2</member>
<member>ethernet1/3</member>

 

<member>ethernet1/1</member>
<member>ethernet1/2</member>
<member>ethernet1/3</member>

</interface>

 

Notice that I duplicated (for example my eth1/1 through eth1/3)

 

You just need to roll up your sleeves, and manually remove your duplicate interface configs, wherever they are, in your config.

 

 

 

 

Please help out other users and “Accept as Solution” if a post helps solve your problem !
  • 1 accepted solution
  • 4596 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!