Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Conifg That isn't going from 8.4(7) to 9.1(1)


Been pasting config from old 5520 - 8.4(7) to 5545 - 9.1(1) and some commands are not takinf. Could anyone give me some insight as to why? There  are more but I thought I would start with these.

Thank you


crypto ca trustpoint ASDM_TrustPoint5
 enrollment terminal
 subject-name CN=FRD-INT-FW1
 keypair ECA
 crl configure
(ERROR: Keypair ECA doesn't exist.)


crypto ikev2 enable outside client-services port 443
crypto ikev1 enable outside
crypto ikev1 ipsec-over-tcp port 10000
(ERROR: Unable to configure IKEv1 on interface 'outside' as ipsec-over-tcp is enabled on port 10000, which is currently in use by another service. Please choose a different port for ipsec-over-tcp.
FRD-INT-FW1(config)# crypto ikev1 ipsec-over-tcp port 10000
ERROR: Port 10000 is already in use on the 'outside' interface and will not be added.  Please choose a different port for ipsec-over-tcp.)


ssh key-exchange group dh-group1-sha1
(ERROR: % Invalid Hostname)


ssl trust-point ASDM_TrustPoint9 outside
(ERROR: Trustpoint not enrolled.  Please enroll trustpoint and try again.)


csd image disk0:/csd_3.6.6249-k9.pkg
 csd hostscan image disk0:/hostscan_3.1.04075-k9.pkg
 csd enable
 anyconnect image disk0:/anyconnect-win-3.1.04072-k9.pkg 1
 anyconnect profiles skill disk0:/skill.xml
 anyconnect profiles skill_nam disk0:/skill_nam.nsp
(Must supply disk locations in flash)


port-forward TCR 3389 3389
(INFO: Local TCP Port <3389> is already in use.)



Thanks, Pat








The RSA keypairs aren't

The RSA keypairs aren't stored in the main configuration; they are kept in private NVRAM storage.  So prior to pasting a chunk of configuration involving a trustpoint, you need to do an export/import operation on it:

E.g. for certificates on the old 5520:

crypto ca export ASDM_TrustPoint5 pkcs12 YourSymmPassword

Copy the block of text.

On the new 5545-x, run

crypto ca import ASDM_TrustPoint5 pkcs12 YourSymmPassword

and paste the block, then enter quit.


I'm not sure what the IKE1 problem is; when I went from 8.2 to 9.0 I mostly switched to IKE2, and didn't get that.  Does show run | include 10000 exhibit anything camping out there?


-- Jim Leinweber, WI State Lab of Hygiene

Community Member

Thanks Jim Output: crypto

Thanks Jim




crypto ikev1 ipsec-over-tcp port 10000



This one is stumping me;

This one is stumping me; 10000 is the default port, and it's not supposed to be enabled unless you use this command.   Was the output from the old 5520 or the new 5545?  In this case we're primarily interested in the 5545, I think?

I don't have this in my configuration, which has both IKEv1 and IKEv2 enabled on the outside interface for assorted IPsec tunnels.  However, I re-created my 9.0 crypto configuration from scratch using the ASDM wizards, except for imported trustpoints, rather than trying to migrate it.  Are you actually using IPsec over TCP (protocol 6), rather than IPsec over ESP (protocol 50)?  The former is common with NAT VPN clients, while the latter is more common with lan-to-lan tunnels.

Community Member

Also, Jim - my 5520 doesn't



Jim - my 5520 doesn't seem to have the command "crypto ca export".


I get:

Firewall# crypto ca ?

    server   Local Certificate Server commands



Surprisingly, "export" is a

Surprisingly, "export" is a config-mode command.  It was introduced around 7.0, so you really should have it.


Hall of Fame Super Silver

As Jim notes, it's a config

As Jim notes, it's a config mode command. Your output shows you're in enable mode. Type "conf t" then retry. :)

CreatePlease to create content