Migration Guidelines and Limitations for VPN Configuration

Keep the following in mind when you migrate a device with VPN configuration.

Migration Support for Remote Access VPN Policy

As part of the migration process, CDO imports all the settings of a remote access VPN policy except for the following:

  • Object overrides.

    If overrides are used in the address pool object, you must manually add them to the imported object using CDO, after migration. See Object Overrides.

  • Local users.

    If the authentication server is configured to a local database for user authentication, the associated local realm object is imported into CDO. However, you must manually add the local users to the imported local realm object using CDO, after migration. See Create a Realm and Realm Directory.

  • Remote Access VPN load-balancing configuration.

  • Remote Access VPN certificate enrollment with domain configuration.

    Perform the following after migration to enroll the certificate with domain configuration:

    1. In CDO, choose Inventory > FTD.

    2. Select the migrated FTD and in the Device Management on the right, click Device Overview.

    3. Choose Devices > Certificates.

      Perform one of the following tasks:

      • If the certificates are imported in an Error state, click the Refresh certificate status icon to synchronize the certificate status with the device. The certificate status turns green.

      • If the certificates are not imported, you must manually add the certificates defined in the Remote Access VPN policy that is configured in the management center.

Migration Support for Site-to-Site VPN Policy

After you've selected a threat defense device with a site-to-site VPN configuration, CDO will automatically select all its peers from different topologies. This is because devices in the site-to-site VPN topology must be migrated together to ensure a migration to succeed.

Note

Although the migration wizard doesn't list the extranet devices that are associated with them, they will still be included automatically during the migration process.

CDO imports all the settings of a site-to-site VPN policy except for the following:

  • If object overrides are used in the network object, you must manually add them to the imported object using CDO, after migration. See Object Overrides.

  • If the authentication type is configured as "Preshared Automatic Key" in the on-prem management center, CDO defines a new pre-shared key for the VPN postmigration deployment. The updated pre-shared key does not break existing tunnels, and the new tunnels start using the new pre-shared key.

  • When the devices are moved to CDO, and the changes have yet to be committed, the site-to-site VPN policy that is associated with those devices can be edited using the on-prem management center, however, it doesn't update the device configuration in CDO.

  • If devices are configured for SASE tunnels on Cisco Umbrella, refrain from migrating such devices.