Re: CSCve66879 - FMC 6.2 - Unassigning flexconfig that uses a route-map submits a change to remove t...

dcpolgar1 · ‎06-12-2018

I have been dealing with this error for the last 2 weeks. The policy will update just fine with the PBR flexconfig and then the next time a deployment takes place I get this error even if I didn't touch the flexconfig option. I have spent close to 20 hours with TAC regarding this and I hope they get this issue resolved soon. Very frustrating !

belgarioz · ‎07-30-2018

It seems 6.2.3.3 is affected too

belgarioz · ‎07-30-2018

Anyway, there is a system defined flex config called "policy_based_routing_clear" that goes on Prepend and it should clear all the PBR set up.
I just added it to my flexconfig to clear the PBR.

This for 6.2.2.3

dcpolgar1 · ‎07-30-2018

Thanks for the information. After working with TAC on this we do have a current workaround until this issue gets fixed. I just have to go into the Flexconfig option and delete the PBR out of the selected append Flexconfig and save it. I then re-add it and save it and then select view to make sure the command will be re-added and deploy it. This has worked so far. I just have to make sure I do this anytime there is a deployment. It is a pain but at least we can work with it until this issue gets fixed. I guess the issue is supposed to be resolved in the 6.3.0 release whenever that comes out. Cisco didn't have any eta last time I talked to them.

belgarioz · ‎07-30-2018

Don't you have the "Policy_Base_Routing_Clear" option?

Check attachment

dcpolgar1 · ‎07-30-2018

I do have it. I can use that as well if I want. Either option will do the same thing. The one difference is if I add the policy-based-routing-clear I will have to deploy 2 times instead of just once. I will have to deploy it to have that clear option remove the PBR and then deploy again when re-adding it. By just removing the PBR saving it. The re-adding it the PBR adds the next hop back in because that is what gets blown away.The deployment feature is another one I hope they fix waiting 8 minutes for the deployment to finish to make one minor change is ridiculous. Hopefully that will be another issue they address moving forward as well.

belgarioz · ‎07-30-2018

Don't tell me: my deployement is 10 minutes :)
I have one doubt: since policy-based-routing-clear is in prepend, it is supposed to run before all the others flex configs. So you cann add it in prepend and then add the PBRs you want in the Append section.
They should work with one deploy.
I haven't checked since I can't afford a 20 minutes deployement in case I am wrong :)

dcpolgar1 · ‎07-30-2018

Wow, 10 minutes, now I don't feel so bad :). I did try the prepend when we working working on the issue last month and the PBR got removed but it didn't get added back in which made it more frustrating. That was with 6.2.1 though so maybe they have fixed that part of it. But like I said I know what I am doing at this time only requires one deployment which saves me time and less aggravation. Try it my way once and see if that works for you all I know is they haven't fixed the prepend issue that will be 20 minutes for you instead of 10. Let me know.

Ahmed Shalaby · ‎08-02-2018

hello,

i assume that you configured your PBR by setting the nex-hop ip in route-map creation in section set clauses

but i'm confused how to monitor the PBR policy if the link is down to move traffic to the second link just like SLA , how can i achieve this ?

Ahmed Shalaby · ‎08-02-2018

hello,

I assume that you configured your PBR by setting the next-hop IP in route-map creation in section set clauses

but I'm confused how to monitor the PBR policy if the link is down to move traffic to the second link just like SLA, how can I achieve this?

dcpolgar1 · ‎08-02-2018

I am assuming you have a HA pair? We use our PBR for out Guest network. We had to setup a second ip address under the monitored interfaces in the HA tab on the devices in FTD. Once we did that we did a failover to the secondary device and then went into the CLI and typed in show route-map. That will show you if the next hop and PBR are working. Hope this helps

show route-map
route-map FTD_Guest_Wireless, permit, sequence 10
Match clauses:
ip address (access-lists): Guest_WiFi_PBR1
interface Guest_Portal

Set clauses:
ip next-hop XXX.XXX.XXX.X

Ahmed Shalaby · ‎08-02-2018

i do have HA working as Active/Standby , but i'm talking about links to ISPs
now i have 2 ISPs links X and Y according to PBR Policy guest network will access internet through link X
what if this link became down withthe ISP
i need them to move to use ISP Y

dcpolgar1 · ‎08-02-2018

When are PBR goes down all the Guest traffic then gets routed through the production network ISP automatically. I am not sure how you have your system setup. I would open a TAC case for assistance if the failover isn't working correctly.

Ahmed Shalaby · ‎08-02-2018

yes that's exactly what i need, but my question is how PBR goes down how it's marked as down, how to configure the monitoring mechanism

Ahmed Shalaby · ‎08-29-2018

Hello,

I've successfully configured PBR with tracking using flexconfig,

this video demonstrates the configuration

https://www.youtube.com/watch?v=MKcSBTJ55e8&t=18s

CSCve66879 - FMC 6.2 - Unassigning flexconfig that uses a route-map submits a change to remove the route-map