07-02-2018 06:02 AM - edited 03-20-2019 10:16 PM
This is a nice annoying bug! It says it is fixed but I don't see where a new release has been pushed on 7/2 either on CCO or through the FMC updates window. Any idea what build number this is fixed in?
07-10-2018 10:22 AM
It was resolved in 6.2.3.2 Build 46. The issue was, 6.2.3.2 Build 42 had this bug. You need to contact TAC for a workaround as you cannot install Build 46 over Build 42. Cisco pulled 6.2.3.2 Build 42 from their site.
07-10-2018 10:24 AM
Unfortunately the workaround didn't work for me. At this point I either need to uninstall back to 6.3 and then reinstall with -88 or wait until 6.3.3 comes out.
07-10-2018 10:29 AM
What was the workaround? I'm still awaiting TAC to get back to me. I have two FMC's; one has the issue, the other doesn't.
07-10-2018 10:32 AM
Its a bit of code you have to overwrite on your FMC and then a process or 2.
07-10-2018 10:51 AM
I figured it would not be a straightforward process that could be accomplished with a hot fix or the like. It seems that the initial 6.2.3 build 88 had the issue as the release notes state that any device that ran that build would have this issue, but that is not the case. That same build was installed on two different FMC's and only one has an issue. Cisco fixed the issue with the 6.2.3 build 92 release. So why they list that issue as resolved in in 6.2.3 Build 46 is odd. If that build resolved it, why offer a new build of 6.2.3.0?
I guess we might have to wait for 6.2.3.3 or 6.2.4.0 to be released.
07-10-2018 10:53 AM
Honestly don't know why I didn't think of this before but I'm trying to restore my FMC from backup to prior to when the update was performed, then I'll just tell it to fetch and install the later version.
07-10-2018 10:56 AM
Yes, that would work since Cisco has pulled the build that has the issue.
07-10-2018 11:44 AM
Have you only upgraded the FMC or any of the IPS devices as well? If the devices have been updated, you might run into issue. The FMC needs to be the same or higher than the devices. If you read the uninstall instructions for a patch, they say you need to remove the patch from the devices first (which can't be done via the GUI) before you do the FMC. If you have a cluster or HA setup, it is more complicated.
So restoring the FMC to a lower version when there are devices running the higher code can be an issue. Even the install guide says the FMC must be done first.
07-10-2018 11:49 AM
So luckily the only device I've updated is the one on our redundant link so my plan is to go shut the device down until I get the FMC back up and then re updated.
07-10-2018 12:05 PM
That would work as well. I have two devices updated but not completely sure I want to go down that path. Right now the error isn't actually causing an issue for where these two IPS units are at. It would be nice to resolve it, but wiping the FMC, putting the previous code on and restoring it probably is not worth the risk.
Good luck in what you need to do.
07-10-2018 12:10 PM
Understandable, I'll let you know how this goes.
07-10-2018 12:50 PM
To add more complexity to this issue. Even if you decided to wipe the box and start with 6.2.3 from scratch. That image is build 83 whereas the release notes state that the SSEconnector issue was resolved in build 92 which they released on July 5th.
From the 6.2.3.x release notes:
If a Firepower Management Center ever ran Version 6.2.3-88 and you upgraded to Version 6.2.3.1 or Version 6.2.3.2, the SSE cloud connection incorrectly dropped and telemetry could not send data. This caveat is resolved in Version 6.2.3-92. |
They list that under resolves caveats for 6.2.3.1 and 6.2.3.2. The bug states that the issue was resolved in 6.2.3.2, which cannot be the case since they actually resolved it via a new base build. Now you wonder what was fixed between build 83 and 88.
Here is the restore ISO:
07-11-2018 05:31 AM
Ok my work seems to have worked. I now have my vFMC back to 6.2.3 without errors and everything is talking fine. Going to update to 6.2.3.2-46 now, will make sure to take a snapshot of it first this time. ;)
07-11-2018 06:44 AM
Good luck.
Apparently what Cisco did was update the base image and then also updated the two patches with the fix. This way the majority could patch this; if you were not running patch 2, installing it fixes this issue. If you were running the previous base image, upgrading to either patch would fix the issue as well. The people that didn't get the easy path.....the people already running the unfixed patch 2.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide