Firepower Management Center undefining objects when deploying

Malasip · ‎02-02-2022

Hi,

We've had some problems with the FMC undefining objects on deploy randomly. Usually it removes existing time range objects, causing rules that use them to be active all the time.

On deployment transcript the following lines can be seen

FMC >> time-range xxxxxxxxxxxxxxxxx

FMC >> absolute end 16:00 04 February 2022

FMC >> exit FMC >> commit noconfirm revert-save

FMC >> no time-range xxxxxxxxx

The rules that get undefined change on deploys at random.

The system also removes deployed rules for AD realms used for vpn authentication.

FMC is on version 7.0.1 (deployment logs show that the same thing has happened with FMC 6.6 as well).

Anyone else seen anything like this before?

Marius Gunnerud · ‎02-03-2022

I have not personally hit this exact issue, but I have experience something similar where FMC decided to delete content from the object and then mark the object name as empty. In this case I had to get TAC in the picture and they edited the FMC configuration from the CLI and concluded that it was due to partial corruption of the FMC database.

If you jump into the FTD CLI and show running config for the objects in question, do they show as object-name-empty ?

Which Firepower hardware are you running?

Another possibility: How many total objects do you have configured? Depending on your hardware capability and how many objects you have configured, it might be that you have reached the limit for your hardware.

--
Please remember to select a correct answer and rate helpful posts

Malasip · ‎02-03-2022

Hi,

We are using FTD-2110 and FTD-1100 units in HA configuration, both using different policies, with around ~500 objects (not all of them are in use). The problematic rules are applied to FTD-2110 HA pair. The running config looks normal, except it is missing the rules/ objects the FMC undefines (in transcript commands starting with no).

For time range objects, we have around 80.

I tried disabling all but 4 rules that were using the time-range -objects, but the FMC still randomly undefines the 4 leftover objects every other deployment.

It's also strange that it undefines the AD realms at random.

From the last deployment:

FMC >> time-range xxxxxxxxx

FMC >> absolute end 18:00 14 May 2021

FMC >> exit

FMC >> time-range xxxxxxxxx

FMC >> absolute start 08:00 10 January 2022 end 16:00 10 January 2022

FMC >> exit

FMC >> time-range xxxxxxxxx

FMC >> absolute start 10:00 22 November 2021 end 13:00 30 November 2021

FMC >> exit

FMC >> commit noconfirm revert-save

FMC >> no aaa-server xxxxxxxxx host xx.xxx.xxx.com

FMC >> no aaa-server xxxxxxxxx protocol ldap

FMC >> no time-range xxxxxxxxx

One of the aaa serers and 2 of the time range objects got removed.

Marius Gunnerud · ‎02-04-2022

I dont suppose you have any Flexconfig configurations being deployed also? If you do, would you be able to remove these for testing purposes and then try to deploy again?

Other than that this sounds very bugy. I would suggest opening a case with TAC.

--
Please remember to select a correct answer and rate helpful posts

Malasip · ‎02-04-2022

Yeah no flexconfig. I have open a case with our partner for the TAC, just wanted to check if anyone has experienced anything similar.