11-18-2020 11:00 AM
Howdy folks - I've found myself in a position where I am trying to deploy a configuration change from the FMC to one of our FTD firewalls. The change it self is totally aesthetic (changing the name of an object). The deployment ends up failing with the following information:
I've modified object names for security.
FMC >> no object network ***Object_Name***
FTD_Name >> error : ERROR: unable to delete object (***Object_Name***). object is being used.
Config Error -- no object network ***Object_Name***
So at this point the Object in question has its name changed in the FMC Network objects list and has also been added to the FTD but upon viewing the running config of the problematic FTD I see that the old object is in use in a VPN filter ACL associated with an old AnyConnect Profile. The, AnyConnect profile and associated group policy / VPN filter ACL were all deleted from the FTD (via the FMC) about 4 months ago. Browsing through the Remote Access VPN configs for this firewall on the FMC, those profiles, policies and VPN filters are gone (as expected) but looking through the running config on the FTD I see those old config lines are still present.
All of that to say - what's the best way to clear an old config line(s) from the FTD if they aren't present in the FMC Web UI?
Thanks!
Solved! Go to Solution.
12-07-2020 11:07 AM
For the sake of knowing - I was able to resolve the issue on the problematic FTD with CLI commands through FlexConfig on the FMC
The script was: (***** to obfuscate object name)
no tunnel-group ***** webvpn-attributes
no tunnel-group ***** general-attributes
no tunnel-group *****
no group-policy ***** attributes
no group-policy *****
11-18-2020 11:40 AM
You need to remove association ACP / from Profile and delete the object.
11-18-2020 11:46 AM
That's the challenge, the AnyConnect profile was deleted from the FMC long ago but for one reason or another it still exists in the running config on the FTD - but you can only see that when you do a show run from the CLI on the FTD.
12-07-2020 11:07 AM
For the sake of knowing - I was able to resolve the issue on the problematic FTD with CLI commands through FlexConfig on the FMC
The script was: (***** to obfuscate object name)
no tunnel-group ***** webvpn-attributes
no tunnel-group ***** general-attributes
no tunnel-group *****
no group-policy ***** attributes
no group-policy *****
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide