Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2844
Views
10
Helpful
7
Replies

Deploy Policy failure on Virtual Firesight Defence Center 6.1

gilangintan20
Level 1
Level 1

‎07-20-2017 01:33 AM - last edited on ‎03-25-2019 06:17 PM by Community Manager

 
Labels:
0 Helpful
7 Replies 7

Pujita Patni
Cisco Employee
Cisco Employee

‎07-20-2017 05:46 AM

Hi,

Can you provide a screenshot of the License page here. I am curios to see what the Licenses come up as. Does the deploy fail instantly or runs for a while ? What the error message that it fails with ?

Thanks,

Pujita Patni

gilangintan20
Level 1
Level 1
In response to Pujita Patni

‎07-22-2017 06:44 AM

Hi Pujita,

Thanks for reply,

attached screenshoot of the licenses page.

I have checked the the log while apply the policy "tail -200f action_queue.log" :

Jul 22 13:24:01 firepower ActionQueueScrape.pl[7896]: Remote heartbeat task processing failed on 192.168.43.130: Appliance is set to ignore, ignore heartbeat from 219f83ea-21f8-11e7-862b-ab2c744b6f3c at /usr/local/sf/lib/perl/5.10.1/SF/Synchronize/VerticalSync.pm line 446.
Jul 22 13:24:01 firepower ActionQueueScrape.pl[7896]: END TASK || 060ff854-6ee1-11e7-a63e-547fb0f5facf || Synchronize with UM || Sending Update || 1
Jul 22 13:25:00 firepower ActionQueueScrape.pl[7976]: START TASK || 29f42358-6ee1-11e7-a63e-547fb0f5facf || Synchronize with UM || Sending Update || 0
Jul 22 13:25:01 firepower ActionQueueScrape.pl[7976]: DBD::mysql::st execute failed: Table 'sfsnort.rna_vdb_version' doesn't exist at /usr/local/sf/lib/perl/5.10.1/SF/RNA/Vulnerabilities.pm line 1068.

do you know the meaning of these logs ?

also, attached screenshoot from gui when apply the policy, the progress stack at 15%.

do you know what happened? please help :((

Preview file
38 KB
Preview file
14 KB
0 Helpful

Jetsy Mathew
Cisco Employee
Cisco Employee
In response to gilangintan20

‎08-07-2017 01:20 AM

Hello gilangintan20 

I have reviewed the screenshot and license are there for the single Firepower sensor.

The policy deployment failure can happen due to multiple reasons such as connectivity between the FMC , communication channel issues or this can also happen if there is a RPC timeout .Other possibility is if the snort is down then also policy apply can fail.To verify this we need the troubleshoot file .

Could you please open a TAC case so that you can update the troubleshoot file and they can investigate it accordingly.

Regards

JETSY 

0 Helpful

Jetsy Mathew
Cisco Employee
Cisco Employee

‎07-20-2017 06:11 AM

Hello  ,

First of all verify the connectivity between the FMC and the NGIPS that you have . If the connectivity is fine then please verify if you have a minimum of Protection and Control license to manage the NGIPS . Each NGIPS needs each protection and control license to manage the access control policies. Check the System > Licenses page is the FMC gui to confirm that if you have enough license or not. If you are planning to use the URL category based rules then you should get the URL license as well.

If the devices got license then check the error that you are getting while the policy apply fails.

You can check the following logs in the NGIPS via ssh to verify the error.

Login to the NGIPS box as admin user and check the following outputs:-

admin@123#pmtool status |grep -i down

Above command will let you know if any services are down.

admin@123# cd /var/log/

admin@123# tail -200f action_queue.log

After applying the policies check this logs to verify the deployment errors.

This will give you an idea about the error messages.

You can also check the /var/log/messages to verify the communication issues.

Let me know if you have any questions.

Rate if this answer helps.

Regards

Jetsy 

gilangintan20
Level 1
Level 1
In response to Jetsy Mathew

‎07-22-2017 06:36 AM

Hi Jetsy,

Thanks for the reply. I have checked the FMC and NGIPS connections and they both connected.

No result shown from grep-i down.

the results of "tail -200f action_queue.log" :

Jul 22 13:24:01 firepower ActionQueueScrape.pl[7896]: Remote heartbeat task processing failed on 192.168.43.130: Appliance is set to ignore, ignore heartbeat from 219f83ea-21f8-11e7-862b-ab2c744b6f3c at /usr/local/sf/lib/perl/5.10.1/SF/Synchronize/VerticalSync.pm line 446.
Jul 22 13:24:01 firepower ActionQueueScrape.pl[7896]: END TASK || 060ff854-6ee1-11e7-a63e-547fb0f5facf || Synchronize with UM || Sending Update || 1
Jul 22 13:25:00 firepower ActionQueueScrape.pl[7976]: START TASK || 29f42358-6ee1-11e7-a63e-547fb0f5facf || Synchronize with UM || Sending Update || 0
Jul 22 13:25:01 firepower ActionQueueScrape.pl[7976]: DBD::mysql::st execute failed: Table 'sfsnort.rna_vdb_version' doesn't exist at /usr/local/sf/lib/perl/5.10.1/SF/RNA/Vulnerabilities.pm line 1068.

do you know the meaning of these logs ?

also, attached capture whn deploy policy, the progress stuck at 15%. 

Please help me :(

Preview file
38 KB
Preview file
14 KB
0 Helpful

Jetsy Mathew
Cisco Employee
Cisco Employee
In response to gilangintan20

‎07-24-2017 01:15 AM

Hello gilangintan20,

The logs looks like there is an heartbeat error which will occur due to the communication channel issues. 

Login to the Firepower CLI and elevate as root user and perform the following commands.

 

root@224:~# manage_procs.pl 

****************  Configuration Utility  ************** 

1   Reconfigure Correlator

2   Reconfigure and flush Correlator

3   Restart Comm. channel

4   Update routes

5   Reset all routes

6   Validate Network 0  

Exit *************************************************************

Enter choice:

In above enter choice option , please enter starting from 6 , 5 , 4 , 3 , 2  and to exit from this mode, enter 0

 

Also check if the snort process is running or not.

root@224:~# pmtool status | grep snort 

You can also check if there is any database errors.

root@224:~# DBCheck.pl

After that if possible try to re-register the sensor to the FMC and see if the issue gets resolved.

Regards

Jetsy 

0 Helpful

gilangintan20
Level 1
Level 1
In response to Jetsy Mathew

‎07-31-2017 08:23 PM

Hi, 

Thanks Jetsy, below the result :

root@firepower:/Volume/home/admin# manage_procs.pl

**************** Configuration Utility **************

1 Reconfigure Correlator
2 Reconfigure and flush Correlator
3 Restart Comm. channel
4 Update routes
5 Reset all routes
6 Validate Network
0 Exit

**************************************************************
Enter choice: 6

**************** Configuration Utility **************

1 Reconfigure Correlator
2 Reconfigure and flush Correlator
3 Restart Comm. channel
4 Update routes
5 Reset all routes
6 Validate Network
0 Exit

**************************************************************
Enter choice: 5
Create job for peer 192.168.43.130. at /usr/local/sf/lib/perl/5.10.1/SF/PeerManager/PeerRoute.pm line 705, <STDIN> line 2.
Scheduled routes update for existing peers...
**************** Configuration Utility **************

1 Reconfigure Correlator
2 Reconfigure and flush Correlator
3 Restart Comm. channel
4 Update routes
5 Reset all routes
6 Validate Network
0 Exit

**************************************************************
Enter choice: 4
Create job for peer 192.168.43.130. at /usr/local/sf/lib/perl/5.10.1/SF/PeerManager/PeerRoute.pm line 705, <STDIN> line 3.
Scheduled routes update for existing peers...
**************** Configuration Utility **************

1 Reconfigure Correlator
2 Reconfigure and flush Correlator
3 Restart Comm. channel
4 Update routes
5 Reset all routes
6 Validate Network
0 Exit

**************************************************************
Enter choice: 3
1
**************** Configuration Utility **************

1 Reconfigure Correlator
2 Reconfigure and flush Correlator
3 Restart Comm. channel
4 Update routes
5 Reset all routes
6 Validate Network
0 Exit

**************************************************************
Enter choice: 2
Scheduled SFDC reset
**************** Configuration Utility **************

1 Reconfigure Correlator
2 Reconfigure and flush Correlator
3 Restart Comm. channel
4 Update routes
5 Reset all routes
6 Validate Network
0 Exit

**************************************************************
Enter choice: 1
Scheduled SFDC reset
**************** Configuration Utility **************

1 Reconfigure Correlator
2 Reconfigure and flush Correlator
3 Restart Comm. channel
4 Update routes
5 Reset all routes
6 Validate Network
0 Exit

**************************************************************
Enter choice: pmtool status | grep snort
Thank you
root@firepower:/Volume/home/admin# pmtool status | grep snort
c80499d2-21f8-11e7-b461-0e3f744b6f3c-d01 (de,snort) - Waiting
Command: /var/sf/detection_engines/c80499d2-21f8-11e7-b461-0e3f744b6f3c/snort -u sfsnort -g sfsnort --daq-dir /usr/local/sf/lib/daq -M -Q -G 0 -i eth1:eth2 --daq sfpacket --pid-path /var/sf/detection_engines/c80499d2-21f8-11e7-b461-0e3f744b6f3c/instance-1 --cs-dir /var/sf/detection_engines/c80499d2-21f8-11e7-b461-0e3f744b6f3c/instance-1 -c /var/sf/detection_engines/c80499d2-21f8-11e7-b461-0e3f744b6f3c/snort.conf -Z /var/sf/detection_engines/c80499d2-21f8-11e7-b461-0e3f744b6f3c/instance-1/now --no-interface-pidfile -l /var/sf/detection_engines/c80499d2-21f8-11e7-b461-0e3f744b6f3c/instance-1 -P 1518
PID File: /var/sf/detection_engines/c80499d2-21f8-11e7-b461-0e3f744b6f3c/instance-1/snort.pid
Enable File: /var/sf/detection_engines/c80499d2-21f8-11e7-b461-0e3f744b6f3c/snort.conf
c80499d2-21f8-11e7-b461-0e3f744b6f3c-d02 (de,snort) - Waiting
Command: /var/sf/detection_engines/c80499d2-21f8-11e7-b461-0e3f744b6f3c/snort -u sfsnort -g sfsnort --daq-dir /usr/local/sf/lib/daq -M -Q -G 1 -i eth1:eth2 --daq sfpacket --pid-path /var/sf/detection_engines/c80499d2-21f8-11e7-b461-0e3f744b6f3c/instance-2 --cs-dir /var/sf/detection_engines/c80499d2-21f8-11e7-b461-0e3f744b6f3c/instance-2 -c /var/sf/detection_engines/c80499d2-21f8-11e7-b461-0e3f744b6f3c/snort.conf -Z /var/sf/detection_engines/c80499d2-21f8-11e7-b461-0e3f744b6f3c/instance-2/now --no-interface-pidfile -l /var/sf/detection_engines/c80499d2-21f8-11e7-b461-0e3f744b6f3c/instance-2 -P 1518 --suppress-config-log
PID File: /var/sf/detection_engines/c80499d2-21f8-11e7-b461-0e3f744b6f3c/instance-2/snort.pid
Enable File: /var/sf/detection_engines/c80499d2-21f8-11e7-b461-0e3f744b6f3c/snort.conf
root@firepower:/Volume/home/admin# DBCheck.pl
running database integrity check with the following options:
- use exception directory /usr/local/sf/etc/db_exceptions
- check refererences
- check enterprise objects
- check schema
- check required data
- log to stderr
getting filenames from [/usr/local/sf/etc/db_updates/index]
getting filenames from [/usr/local/sf/etc/db_updates/base-6.1.0]
/usr/local/sf/etc/db_exceptions/db_exceptions.yaml
After Checking DB, Warnings: 0, Fatal Errors: 0
root@firepower:/Volume/home/admin# exit
exit
admin@firepower:~$ logout
> show managers
Type : Manager
Host : 192.168.43.130
Registration : Completed

>

and then I tried to re-deploy the sensor but the results remain 15%. Please help, I really need this lab for my thesis project.:((((

Preview file
12 KB
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card