Failed migration to Panorama 10.1.3

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Failed migration to Panorama 10.1.3

L2 Linker

I had an issue recently when attempting to migrate a 3250 HA pair (10.0.8-h4) to Panorama 10.1.3.  I was able to complete the push and commit however anything that uses a password or secret such as a IKE Gateway pre-shared key didn't work.  The resultant outage was significant with over 100 IPSec VPN's configured so I quickly reverted the 3250's to their original device state.  

I suspected someone had set a new Master Key however that wasn't the case.  I then compared the encrypted values for passwords and pre-shared keys between firewalls and Panorama and they were indeed different.  I know Panorama 10.1.3 doesn't support firewalls running 10.1.0 - 10.1.2 (Panorama Admin Guide) however I can't find official word that 10.0.X isn't supported either.

Downgrading isn't really an option as 10.0 becomes end of life in July this year so next step is trying the process again with an eval VM running 10.0.8-h4 loaded with very similar config to the 3250's and see if the same result occurs.  Following on from that I will upgrade Panorama and the VM to 10.1.5-h1 to see if the issue is resolved.  

I have another 15 x 440's on Satellite links to migrate so need to make sure the process is error free.

4 REPLIES 4

L2 Linker

After building a VM based lab and recreating the process I have discovered the root cause.  Panorama 10.1.3+ has a new feature to support unique Master Keys for firewalls, Panorama, Log Collectors etc and during device config import into Panorama there is a field to enter a Master Key.  This field is not documented in the 10.1 Panorama administrator guide at time of writing this.

As a Master Key was never set I naturally left this field blank during the import which was the cause as Panorama no longer uses the well known default Master Key and therefore when pushing back to the firewall, passwords and pre-shared keys won't match.  

The fix is to enter the well known default Master Key when importing device config from firewalls where a Master Key has never been set.  This ensures password and pre-shared key encryption strings are identical when pushing config back to the firewalls during the 'transition to Panorama' process.

 

Hope this helps someone else!

This helped me huge. Ran into the same issue last night. In addition to passwords it also affected private keys of certificates.

L2 Linker

Hey @Jon_Woloshyn, thanks for letting me know that it helped you out.

Hi Benlewis, I have similar issue just now, when trying to migrate the config from a production 5250 to a new 5450.  Not clear though what would be the default Master Key. Should I configure a MK in the existing 5250s (HA pair) before exporting the config (the XML to be imported on new 5450s)?

 

George

  • 3600 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!