08-15-2017 09:07 AM - edited 02-21-2020 06:13 AM
Hi,
I am unable to take a backup from a virtual FMC which is managing two Firepower 4110 (HA).
The received error is : Registration or CSM state are blocking Backup
I have a doubt about the actual version (6.2.0) so I have tried to upgrade it to 6.2.1/6.2.0.1/6.2.0.2 but I am getting a somewhat similar error : Peer registration in progress. Please retry in a few moments. However, in the menu of managed devices, both FTD are registered with a green status (see attachment).
Any suggestion ?
Solved! Go to Solution.
08-17-2017 07:23 AM
Hi Anouar,
Please go to the CLI of the device, become root and run this command:
Command: mysql -padmin sfsnort -e "select name,ip,uuid,role from EM_peers where role !=0"
This would list out all the peers, find the UUID and IP of the Chassis Mgr which you added wrongly. and then run this command:
remove_peer.pl <IP>
remove_peer.pl <~IP>
remove_peer.pl <uuid>
remove_peer.pl <~uuid>
This should fix the issue. Let me know how it goes.
Regards,
Dv
08-15-2017 10:05 PM
Hi Anouar,
Login to the CLI of both FTD and run the command show managers. There shouldn't be any manager status as Pending. If yes then fix that up.
Let me know how it goes.
Regards,
Dv
08-16-2017 12:34 AM
I already have registration completed in both.
08-17-2017 12:27 AM
Hello Anouar
If the registrations looks fine with FTD then please check the messages log to see why the Backup is failing .Are you copying this to remote storage or locally in FMC ?
If its remote then please check everything is fine from the remote storage as well.
Regards
Jetsy
08-17-2017 04:45 AM
with tail -f /var/log/messages I found these messages :
Aug 17 12:20:09 firepower SF-IMS[8831]: [8893] sftunneld:sf_connections [INFO] Start connection to : a.b.c.241 (wait 44 seconds is up)
Aug 17 12:20:09 firepower SF-IMS[8831]: [22370] sftunneld:sf_peers [INFO] Peer a.b.c.241 needs a single connection
Aug 17 12:20:09 firepower SF-IMS[8831]: [22370] sftunneld:sf_ssl [INFO] Connect to a.b.c.241 on port 8305 - eth0
Aug 17 12:20:09 firepower SF-IMS[8831]: [22370] sftunneld:sf_ssl [INFO] Initiate IPv4 connection to a.b.c.241 (via eth0)
Aug 17 12:20:09 firepower SF-IMS[8831]: [22370] sftunneld:sf_ssl [INFO] Initiating IPv4 connection to *.241:8305/tcp
Aug 17 12:20:09 firepower SF-IMS[8831]: [22370] sftunneld:sf_ssl [INFO] Wait to connect to 8305 (IPv6): a.b.c.241
Aug 17 12:20:29 firepower SF-IMS[8831]: [22370] sftunneld:sf_ssl [ERROR] Unable to connect to port 8305 (IPv4): Operation now in progress
Aug 17 12:20:29 firepower SF-IMS[8831]: [22370] sftunneld:sf_ssl [INFO] No IPv4 connection to a.b.c.241
Aug 17 12:20:29 firepower SF-IMS[8831]: [22370] sftunneld:sf_ssl [WARN] Unable to connect to peer 'a.b.c.241'
Aug 17 12:20:29 firepower SF-IMS[8831]: [22370] sftunneld:sf_ssl [INFO] reconnect to peer 'a.b.c.241' in 44 seconds
Aug 17 12:20:31 firepower SF-IMS[8831]: [8893] sftunneld:sf_peers [INFO] Peer a.b.c.241 needs a single connection
This should be the root cause. We have inserted a wrong device address before (.241) which is the Firepower Chassis Manager and not the FTD one
How can we unregister this wrong address as we do not see anything about it from GUI ?
08-17-2017 07:23 AM
Hi Anouar,
Please go to the CLI of the device, become root and run this command:
Command: mysql -padmin sfsnort -e "select name,ip,uuid,role from EM_peers where role !=0"
This would list out all the peers, find the UUID and IP of the Chassis Mgr which you added wrongly. and then run this command:
remove_peer.pl <IP>
remove_peer.pl <~IP>
remove_peer.pl <uuid>
remove_peer.pl <~uuid>
This should fix the issue. Let me know how it goes.
Regards,
Dv
08-17-2017 07:27 AM
Hi,
Is there any risk or we can execute it during work hours.
08-17-2017 07:32 AM
No risk as long as you're deleting the entry which we don't need and lying there for no good.
08-11-2019 01:57 AM
Hi
How can i find the Right one ?
i have used the Same command,i find out that there are multiple lines out there,but I have used just one Manager.How can I find that which Entry is working and which one is not needed?
08-11-2019 05:16 AM
Any peers that have an address other than your Firepower Management Center may be removed.
07-16-2020 01:48 PM
Refrain from using any database commands. They may cause irreversible problems with the database. Contact TAC for this issue as the backup heavily depends on Database and needs to be handled by TAC only.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide