Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2633
Views
0
Helpful
5
Replies

Firepower upgrade to 7.0.1-84 failed at 39%

Go to solution
bcoverstone
Level 1
Level 1

‎10-28-2021 07:19 PM - edited ‎10-29-2021 08:19 PM

I was attempting to upgrade a Firepower 1010 HA pair to build 7.0.1-84 and received the following error:

 

Firepower_Failed.png

 

Here is the stack trace:

Failed to generate data after all imported ApplicationException:java.lang.UnsupportedOperationException: SmartAgentManager#getCurrentSmartAgentDelegate is not allowed during the bootstrap
com.cisco.ngfw.onbox.importer.services.UpgradeSqliteToNeo4jImporter.retryFailedLinaAndSnortDataGeneration(UpgradeSqliteToNeo4jImporter.java:642)
com.cisco.ngfw.onbox.importer.services.UpgradeSqliteToNeo4jImporter.handleDataGenerationAfterEntitiesImported(UpgradeSqliteToNeo4jImporter.java:604)
com.cisco.ngfw.onbox.importer.services.UpgradeSqliteToNeo4jImporter.afterEntitiesImported(UpgradeSqliteToNeo4jImporter.java:528)
com.cisco.ngfw.onbox.backend.services.configdb.SqliteToNeo4jImporter.doImportFromSqlite(SqliteToNeo4jImporter.java:210) com.cisco.ngfw.onbox.backend.services.configdb.SqliteToNeo4jImporter.importFromSqlite(SqliteToNeo4jImporter.java:163)
com.cisco.ngfw.onbox.importer.services.UpgradeSqliteImportService.importConfigFromSqlite(UpgradeSqliteImportService.java:177)
Reporting error : Failed to generate data after all imported Fatal error: Failed to generate data after all imported

 

 

The upgrade readiness check was run and passed.

Any ideas what I can do to make this work?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
bcoverstone
Level 1
Level 1
In response to bcoverstone

‎11-03-2021 03:16 PM - edited ‎11-03-2021 03:17 PM

It looks like the unit was also not able to deploy any configuration changes because it kept giving me an error that my VPN RA had an overlapping IP address in the pool, which it definitely does not. I am using two ranges in 192.168.200.0/25 and 192.168.200.128/25, and it thinks those overlap. So maybe only use /24 addresses as the FDM seems to be confusing those ranges, though it didn't give me issues when I first configured them.

 

I tried restoring a good backup before attempting the firmware update, and it also has all the same problems, so even the backup has failed!!!!!

 

I did a full reimage of the standby unit and reconfigured it completely from scratch. This is the only way I was able to get things working again.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
andrew.butterworth
Level 7
Level 7

‎10-29-2021 03:24 AM - edited ‎10-29-2021 03:50 AM

I've got a HA pair of FTDv's running on an ESXi platform in the lab.  These were build from the 6.6 .ova and have been upgraded a few times.  The last time I upgraded them to 7.0.0.1 without any issues.  I attempted to upgrade them to 7.0.1 recently - one worked and the other didn't and failed with some certificate error.

Its now in some limbo state where it needs to have changes deployed, however it fails the deployment and won't let you discard the changes.

Its looking like a re-image of both I think....

 
 

 

Preview file
89 KB
Preview file
101 KB
0 Helpful

Go to solution
bcoverstone
Level 1
Level 1
In response to andrew.butterworth

‎10-29-2021 12:20 PM - edited ‎10-29-2021 12:22 PM

It looks like it does not like one of your certificates. Maybe remove all certs, upgrade, add them back in?

 

Unfortunately with my issue, the error deals with the "Smart Agent", which is Cisco Licensing. And that's something I can't control.

Unless maybe I try delicensing the standby unit and then try to upgrade it...

0 Helpful

Go to solution
andrew.butterworth
Level 7
Level 7

‎10-29-2021 01:16 PM

I ended up breaking the HA, building a new FTDv from the .ova and then recreating the HA.

0 Helpful

Go to solution
bcoverstone
Level 1
Level 1

‎10-29-2021 08:19 PM

Cisco TAC got back to me today, and it appears that I am not alone and that other firewall upgrades have had the exact same issue. Cisco has devs on it to reproduce and correct the issue.

 

I'll reply back with a status once I find out more.

0 Helpful

Go to solution
bcoverstone
Level 1
Level 1
In response to bcoverstone

‎11-03-2021 03:16 PM - edited ‎11-03-2021 03:17 PM

It looks like the unit was also not able to deploy any configuration changes because it kept giving me an error that my VPN RA had an overlapping IP address in the pool, which it definitely does not. I am using two ranges in 192.168.200.0/25 and 192.168.200.128/25, and it thinks those overlap. So maybe only use /24 addresses as the FDM seems to be confusing those ranges, though it didn't give me issues when I first configured them.

 

I tried restoring a good backup before attempting the firmware update, and it also has all the same problems, so even the backup has failed!!!!!

 

I did a full reimage of the standby unit and reconfigured it completely from scratch. This is the only way I was able to get things working again.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card