Troubleshooting Migration Issues

Troubleshooting for the Secure Firewall Migration Tool

A migration typically fails during the ASA configuration file upload or during the push of the migrated configuration to management center.

Some of the common scenarios where the migration process fails are:

  • Unknown or invalid characters in the ASA configuration file

  • Incomplete or missing elements in the ASA configuration file

  • Loss of network connectivity or latency

Secure Firewall Migration Tool Support Bundle

The Secure Firewall migration tool provides the option to download a support bundle to extract valuable troubleshooting information like log files, DB, and configuration files. Perform the following:

  1. On the Complete Migration screen, click the Support button.

    The Help support page appears.

  2. Check the Support Bundle check box and then select the configuration files to download.


    Note
    The Log and dB files are selected for download by default.

  3. Click Download.

    The support bundle file is downloaded as a .zip to your local path. Extract the Zip folder to view the log files, DB, and the Configuration files.

  4. Click Email us to email the failure details for the technical team.

    You can also attach the downloaded support files to your email.

  5. Click Visit TAC page to create a TAC case in the Cisco support page.


    Note
    You can open a TAC case at any time during the migration from the support page.

Logs and Other Files Used for Troubleshooting

You can find information that is useful for identifying and troubleshooting issues in the following files.

File Location

Log file

<migration_tool_folder>\logs

Pre-migration report

<migration_tool_folder>\resources

Post-migration report

<migration_tool_folder>\resources

unparsed file

<migration_tool_folder>\resources

telemetry_sessionid_timestamp.json

<migration_tool_folder>\resources\telemetry_data

Troubleshooting ASA File Upload Failures

If your ASA configuration file fails to upload, the reason is typically because the Secure Firewall migration tool could not parse one or more lines in the file.

You can find information about the errors that caused the upload and parsing failure in the following locations:

  • Error message displayed by the Secure Firewall migration tool—Provides a high-level summary of what caused the failure.

  • Log file—Search on the word "error" to view the reason for the failure.

Troubleshooting Example for ASA: Cannot Find Member of Object Group

In this example, the ASA configuration file upload and parsing that is failed because the parser could not find one of the members of an object group.

Procedure

Step 1

Review the error messages to identify the problem.

This failure generated the following error messages:

Location Error Message

Migration Tool message

N/A

Configuration Lines with Errors section of the pre-migration report

Line#2[ERROR] group-object GROUP1

Line#3[ERROR] group-object GROUP2

Line#1[ERROR] object-group network NOV-SERVERS

Log file

[INFO | object_group_mode.py:9491 > Parsing object-group network: [NOV-SERVERS]

[ERROR | object_group_mode.py:1048 ] [GROUP1] group not found when creating object-group network [NOV-SERVERS]

[ERROR | object_group_mode.py:1049 ] no row was found for one()

[ERROR | object_group_mode.py:1048 ] [GROUP2] group not found when creating object-group network [NOV-SERVERS]

[ERROR | object_group_mode.py:1049 ] no row was found for one()

Step 2

Open the ASA configuration file and do the following:

  1. Search for the object group by name: NOV-SERVERS

    The ASA configuration file shows the following lines for NOV-SERVERS:

    object-group network NOV-SERVERS
   group-object GROUP1
   group-object GROUP2

  2. Search for each member of the group to identify which member is not included in the ASA configuration file.

Step 3

To resolve the error, do the following using ASDM on the source ASA device:

  1. Create the missing member for the object group.

  2. Export the configuration file.

Step 4

If there are no more errors, upload the new ASA configuration file to the Secure Firewall migration tool and continue with the migration.

Troubleshooting Example for ASA: List Index Out of Range

In this example, the ASA configuration file upload and parsing that is failed because of an error in the configuration of an element that the Secure Firewall migration tool does not support.

Procedure

Step 1

Review the error messages to identify the problem.

This failure generated the following error messages:

Location Error Message

Migration Tool message

list index out of range

Configuration Lines with Errors section of the pre-migration report

N/A

Log file

[ERROR | asa_config_upload.py:119] > list index out of range

Step 2

Open the unparsed file and scroll to the bottom to identify the last line of the ASA configuration file that was successfully parsed.

In this example, the last line in the unparsed file is the following:

Line#345 [SKIPPED] address 209.165.200.224 255.255.255.224

Step 3

Open the ASA configuration file and do the following:

  1. Search for address 209.165.200.224 255.255.255.224

    The line that follows this one contains the configuration element that caused the issue.

  2. Review the line to determine what is causing the migration to fail.

    In this example, the line where the Secure Firewall migration tool had stopped parsing is name www.example.s3.amazonaws.com. This is the line in the ASA configuration file that is directly after the last line in the unparsed file. If you cannot identify the issue with this line, we recommend that you review the Known Issues section in the Release Notes for the Secure Firewall Migration Tool to see if you have encountered one of the known issues in the release.