Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
353
Views
5
Helpful
4
Replies

Cisco_Firepower deployment issue

Amen
Level 1
Level 1

‎02-05-2025 11:53 PM

We were affected several times for an error that prevented us to continue with the deployment of any modifications in our Cisco Firepower, and the error seems to be related to ISE/SGT integration:





At the moment, we are using the following workaround: uncheck “SXP Topic” -> Save, then check back again “SXP Topic” -> Save:

 

Amen_1-1738828280435.pngAmen_2-1738828309318.png

 


After execution of this workaround, we can continue normally.


is there anyway to avoid that? Is there any know bug or information about this? Perhaps some commands we can run to gather information to help troubleshoot next time?

0 Helpful
4 Replies 4

Aref Alsouqi
VIP
VIP

‎02-06-2025 09:42 AM

Are you using that security rule that has "DigIT_Infra" tag selected? if not, you can remove that rule. The error you shared seems to be talking about having that tag deleted, mabye there is an issue between ISE and your FMC that is preventing the synchronization from happening? Finally, if you are not using SXP then you can leave it off, you only need that if you are actually encapsulating the SGTs over L3 links.

Amen
Level 1
Level 1
In response to Aref Alsouqi

‎02-11-2025 08:29 AM

Yes, we are using the “DigIT_Infra” SGT. That is the only one you can see in the screenshot, but the full list of all SGT is included in the scroll down window. This mans that is complaining about all of them.

 

As far as I understand, I need SXP between Firepower an ISE server, Communications between them are over internal L3 links. right?

 

0 Helpful

Aref Alsouqi
VIP
VIP
In response to Amen

‎02-11-2025 08:48 AM

For the integration itself I don't believe you need SXP as ISE and FMC are integrated via pxGrid. However, the SXP could be required if you want to propagate the SGTs over L3 links where the devices in the path (ISP CPE for instance) do not keep or process the tag. In that case SXP would be required, but as I said not for the integration between ISE and FMC.

Rob Ingram
VIP
VIP
In response to Amen

‎02-11-2025 09:00 AM

@Amen the FMC will learn the SGT (and dynamic IP bindings) via the pxGrid integration to ISE. The SXP integration to ISE would be used if you are publishing static IP binding from ISE, optional not mandatory.

From the FMC expert mode, you can run the command adi_cli session will display the sessions sent from ISE to the FMC and run the command cat /var/sf/run/adi-health will provide information on the state to confirm this integration is working.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card