topic Re: FTD HA pair - interface changes detected after failover in Network Security

FTD HA pair - interface changes detected after failover

plwalsh — Fri, 21 Jul 2023 11:03:32 GMT

Hi,

I upgraded FMCv from 6.6.5 to 7.2.4. A few days later, my active-standby HA pair of FTD 6.6.5 devices failed over during resilience testing. FMC gave a health monitor alert about interface changes detected. In the Interface config screen for the HA pair, I have a notice stating:
'Interface configuration has changed on device. Click to know more'

Clicking takes me to an Interface Changes screen with a Validate Changes option. Validating gives:
'Changes validated successfully.
Close this window and click Save.'

I'm nervous about making changes to the Device policy when I did not make any changes. Can anyone advise if this behaviour is seen after failover? Is it safe to Save the Device policy and Deploy or should I do something else (e.g. Sync Device)?

Regards,
Piaras

Re: FTD HA pair - interface changes detected after failover

Jonatan Jonasson — Fri, 21 Jul 2023 21:48:22 GMT

Are you by any chance managing 1000 or 2100 series FTD appliances?
I'm wondering since you were upgrading from pre 6.7, if it's possible you might be hitting bug CSCwa29956 ?
Could be if you can't clear the health alert.
(The workaround is "Contact TAC")

It's supposed to be fixed in 7.2.0, but sometimes bug resurface.

Re: FTD HA pair - interface changes detected after failover

Marius Gunnerud — Sat, 22 Jul 2023 16:48:48 GMT

I also see this message from time to time, and also see it on FMC / FTD running 7.2.4. The interfaces the message refers in my case are unused interfaces. No changes have actually been made to them and when checking the audit logs it shows that the culprit is the "system" user. I have not yet opened a TAC for this as it is purely cosmetic, but my best guess is that the FMC does some checks and through the process of these checks these messages appear.

If the error is worrying you then I would suggest opening a TAC case as this most likely will require changes to a database or two. But all in all, it is a cosmetic warning message, which arguably should not be there, and is safe to ignore so long as the interfaces being referred to are not in use.

Re: FTD HA pair - interface changes detected after failover

plwalsh — Mon, 24 Jul 2023 15:47:45 GMT

Hi Jonatan.

I am managing 2100 devices and port-channels are configured on them. Port-channels configured on the device is one of the conditions for bug CSCwa29956. I think a TAC call is warranted. Thank you for your reply.

Regards,
Piaras

Re: FTD HA pair - interface changes detected after failover

plwalsh — Wed, 02 Aug 2023 13:59:09 GMT

Thank you for your reply Marius.

I failed back my 6.6.5 FTD HA pair and again FMC 7.2.4 alerted to say device interfaces have changed, but there have been no changes. I think you are probably correct that this is a cosmetic bug but I am nervous to save the device policy in case it sets a 10GE etherchannel to 1GE or something else unexpected. I was surprised to see 7.2.4.1 that wa released last week, has so many bug fixes in it. Very odd considering 7.2 has been available for 2 years. I have opened a TAC case but no response yet as my issue is not urgent. I will update this topic once I hear from TAC.

Re: FTD HA pair - interface changes detected after failover

dmitrykalinsky — Tue, 05 Sep 2023 21:25:12 GMT

Have you heard anything from TAC? Is it just a cosmetic or impacts devices after you deploy changes?

Re: FTD HA pair - interface changes detected after failover

plwalsh — Wed, 06 Sep 2023 12:05:54 GMT

Yes, I did. The bug seemed to be cosmetic - the interfaces had not changed. TAC had me:

1) From the FTD interface menu, select Sync Device, confirm and Save changes and deploy

2) enter the FMC CLI and use OmniQuery.pl to identify the UUID of the amber interface alerts

3) delete any amber interface alerts identifed in 2) using OmniQuery.pl

The above steps cleared my amber interface alerts. Check with TAC if you have the same issue.

I see 7.2.5 is now the recommended software. Maybe it fixes this bug/behaviour.

Re: FTD HA pair - interface changes detected after failover

dmitrykalinsky — Fri, 08 Sep 2023 14:34:54 GMT

Hit the same bug on FMC7.2.4 and FPR2140 7.0.1 with two SFP ports in a port-channel.

The warning message was fixed by Cisco TAC using OmniQuery.pl (see the message from plwalsh) and the "Interface configuration has changed on device" message was cleared by saving changes and deploying the config during off business hours. I didn't see a single drop.

Here is the change log after saving config on the Device>Interface page:

Looks like FMC thought that the speed was 1000 and then discovered 10G from the device and wanted to save and implement the change.