Solved: Re: Hi Anouar,

Anouar ABDALLAH · ‎08-15-2017

Hi,

I am unable to take a backup from a virtual FMC which is managing two Firepower 4110 (HA).

The received error is : Registration or CSM state are blocking Backup

I have a doubt about the actual version (6.2.0) so I have tried to upgrade it to 6.2.1/6.2.0.1/6.2.0.2 but I am getting a somewhat similar error : Peer registration in progress. Please retry in a few moments. However, in the menu of managed devices, both FTD are registered with a green status (see attachment).

Any suggestion ?

Dinesh Verma · ‎08-17-2017

Hi Anouar,

Please go to the CLI of the device, become root and run this command:

Command: mysql -padmin sfsnort -e "select name,ip,uuid,role from EM_peers where role !=0"

This would list out all the peers, find the UUID and IP of the Chassis Mgr which you added wrongly. and then run this command:

remove_peer.pl <IP>

remove_peer.pl <~IP>

remove_peer.pl <uuid>

remove_peer.pl <~uuid>

This should fix the issue. Let me know how it goes.

Regards,

Dv

View solution in original post

Dinesh Verma · ‎08-15-2017

Hi Anouar,

Login to the CLI of both FTD and run the command show managers. There shouldn't be any manager status as Pending. If yes then fix that up.

Let me know how it goes.

Regards,
Dv

Anouar ABDALLAH · ‎08-16-2017

I already have registration completed in both.

Jetsy Mathew · ‎08-17-2017

Hello Anouar

If the registrations looks fine with FTD then please check the messages log to see why the Backup is failing .Are you copying this to remote storage or locally in FMC ?

If its remote then please check everything is fine from the remote storage as well.

Regards

Jetsy

Anouar ABDALLAH · ‎08-17-2017

with tail -f /var/log/messages I found these messages :

Aug 17 12:20:09 firepower SF-IMS[8831]: [8893] sftunneld:sf_connections [INFO] Start connection to : a.b.c.241 (wait 44 seconds is up)
Aug 17 12:20:09 firepower SF-IMS[8831]: [22370] sftunneld:sf_peers [INFO] Peer a.b.c.241 needs a single connection
Aug 17 12:20:09 firepower SF-IMS[8831]: [22370] sftunneld:sf_ssl [INFO] Connect to a.b.c.241 on port 8305 - eth0
Aug 17 12:20:09 firepower SF-IMS[8831]: [22370] sftunneld:sf_ssl [INFO] Initiate IPv4 connection to a.b.c.241 (via eth0)
Aug 17 12:20:09 firepower SF-IMS[8831]: [22370] sftunneld:sf_ssl [INFO] Initiating IPv4 connection to *.241:8305/tcp
Aug 17 12:20:09 firepower SF-IMS[8831]: [22370] sftunneld:sf_ssl [INFO] Wait to connect to 8305 (IPv6): a.b.c.241
Aug 17 12:20:29 firepower SF-IMS[8831]: [22370] sftunneld:sf_ssl [ERROR] Unable to connect to port 8305 (IPv4): Operation now in progress
Aug 17 12:20:29 firepower SF-IMS[8831]: [22370] sftunneld:sf_ssl [INFO] No IPv4 connection to a.b.c.241
Aug 17 12:20:29 firepower SF-IMS[8831]: [22370] sftunneld:sf_ssl [WARN] Unable to connect to peer 'a.b.c.241'
Aug 17 12:20:29 firepower SF-IMS[8831]: [22370] sftunneld:sf_ssl [INFO] reconnect to peer 'a.b.c.241' in 44 seconds
Aug 17 12:20:31 firepower SF-IMS[8831]: [8893] sftunneld:sf_peers [INFO] Peer a.b.c.241 needs a single connection

This should be the root cause. We have inserted a wrong device address before (.241) which is the Firepower Chassis Manager and not the FTD one

How can we unregister this wrong address as we do not see anything about it from GUI ?

Dinesh Verma · ‎08-17-2017

Hi Anouar,

Please go to the CLI of the device, become root and run this command:

Command: mysql -padmin sfsnort -e "select name,ip,uuid,role from EM_peers where role !=0"

This would list out all the peers, find the UUID and IP of the Chassis Mgr which you added wrongly. and then run this command:

remove_peer.pl <IP>

remove_peer.pl <~IP>

remove_peer.pl <uuid>

remove_peer.pl <~uuid>

This should fix the issue. Let me know how it goes.

Regards,

Dv

Anouar ABDALLAH · ‎08-17-2017

Hi,

Is there any risk or we can execute it during work hours.

Dinesh Verma · ‎08-17-2017

No risk as long as you're deleting the entry which we don't need and lying there for no good.

cisco.adm000@gmail.com · ‎08-11-2019

Hi

How can i find the Right one ?

i have used the Same command,i find out that there are multiple lines out there,but I have used just one Manager.How can I find that which Entry is working and which one is not needed?

Marvin Rhoads · ‎08-11-2019

Any peers that have an address other than your Firepower Management Center may be removed.

kvajarka · ‎07-16-2020

Refrain from using any database commands. They may cause irreversible problems with the database. Contact TAC for this issue as the backup heavily depends on Database and needs to be handled by TAC only.

[FMC] Unable to save a backup or to upgrade