Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1980
Views
5
Helpful
3
Replies

FMC not showing same configuration as FTD

Go to solution
BobbyWittenberg76836
Level 1
Level 1

‎11-18-2020 11:00 AM

Howdy folks - I've found myself in a position where I am trying to deploy a configuration change from the FMC to one of our FTD firewalls. The change it self is totally aesthetic (changing the name of an object).  The deployment ends up failing with the following information:

 

I've modified object names for security.

 

FMC >> no object network ***Object_Name***
FTD_Name >> error : ERROR: unable to delete object (***Object_Name***). object is being used.
Config Error -- no object network ***Object_Name***  

 

So at this point the Object in question has its name changed in the FMC Network objects list and has also been added to the FTD but upon viewing the running config of the problematic FTD I see that the old object is in use in a VPN filter ACL associated with an old AnyConnect Profile.  The, AnyConnect profile and associated group policy / VPN filter ACL were all deleted from the FTD (via the FMC) about 4 months ago. Browsing through the Remote Access VPN configs for this firewall on the FMC, those profiles, policies and VPN filters are gone (as expected) but looking through the running config on the FTD I see those old config lines are still present.  

 

All of that to say - what's the best way to clear an old config line(s) from the FTD if they aren't present in the FMC Web UI?

 

Thanks!

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
BobbyWittenberg76836
Level 1
Level 1
In response to BobbyWittenberg76836

‎12-07-2020 11:07 AM

For the sake of knowing - I was able to resolve the issue on the problematic FTD with CLI commands through FlexConfig on the FMC

The script was:    (***** to obfuscate object name)

 

no tunnel-group ***** webvpn-attributes
no tunnel-group ***** general-attributes
no tunnel-group *****
no group-policy ***** attributes
no group-policy *****

View solution in original post

3 Replies 3

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎11-18-2020 11:40 AM

You need to remove association ACP / from Profile and delete the object.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
BobbyWittenberg76836
Level 1
Level 1
In response to balaji.bandi

‎11-18-2020 11:46 AM

That's the challenge, the AnyConnect profile was deleted from the FMC long ago but for one reason or another it still exists in the running config on the FTD - but you can only see that when you do a show run from the CLI on the FTD.  

0 Helpful

Go to solution
BobbyWittenberg76836
Level 1
Level 1
In response to BobbyWittenberg76836

‎12-07-2020 11:07 AM

For the sake of knowing - I was able to resolve the issue on the problematic FTD with CLI commands through FlexConfig on the FMC

The script was:    (***** to obfuscate object name)

 

no tunnel-group ***** webvpn-attributes
no tunnel-group ***** general-attributes
no tunnel-group *****
no group-policy ***** attributes
no group-policy *****

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card