Migration Guidelines and Limitations for VPN Configuration

Keep the following in mind when you migrate a device with VPN configuration.

Migration Support for Remote Access VPN Policy

Security Cloud Control imports all remote access VPN policy settings, with the following exceptions:

  • Object overrides.

    If overrides are used in the address pool object, you must manually add them to the imported object using Security Cloud Control, after migration. See Object Overrides.

  • Local users.

    If the authentication server is configured to a local database for user authentication, the associated local realm object is imported into Security Cloud Control. However, you must manually add the local users to the imported local realm object using Security Cloud Control, after migration. See Create a Realm and Realm Directory.

  • Remote Access VPN load-balancing configuration.

  • Remote Access VPN certificate enrollment with domain configuration.

    Perform the following after migration to enroll the certificate with domain configuration:

    1. In Security Cloud Control, click Security Devices.

    2. Select the migrated FTD and in the Device Management on the right, click Device Overview.

    3. Choose Devices > Certificates.

      Perform one of the following tasks:

      • If the certificates are imported in an Error state, click the Refresh certificate status icon to synchronize the certificate status with the device. The certificate status turns green.

      • If the certificates are not imported, you must manually add the certificates defined in the Remote Access VPN policy that is configured in the management center.

Migration Support for Site-to-Site VPN Policy

After you've selected a threat defense device with a site-to-site VPN configuration, Security Cloud Control will automatically select all its peers from different topologies. This is because devices in the site-to-site VPN topology must be migrated together to ensure a migration to succeed.

Note

Although the migration wizard doesn't list the extranet devices that are associated with them, they will still be included automatically during the migration process.

Security Cloud Control imports all the settings of a site-to-site VPN policy, with the following exceptions:

  • If object overrides are used in the network object, you must manually add them to the imported object using Security Cloud Control, after migration. See Object Overrides.

  • If the authentication type is configured as "Preshared Automatic Key" in the on-premises management center, Security Cloud Control defines a new pre-shared key for the VPN postmigration deployment. The updated pre-shared key does not break existing tunnels, and the new tunnels start using the new pre-shared key.

  • When the devices are moved to Security Cloud Control, and the changes have yet to be committed, the site-to-site VPN policy that is associated with those devices can be edited using the on-premises management center, however, it doesn't update the device configuration in Security Cloud Control.

  • If devices are configured for SASE tunnels on Cisco Umbrella, refrain from migrating such devices.