cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11027
Views
15
Helpful
6
Replies

FP4120 FTD Policy deploy fail issue

kwon65211
Level 1
Level 1

HI, i am OSung

we were discussed about prepare for FP4120 FTD (Firepower Threat Defense) PoV

BUT FP4120 FTD Policy deploy fail issue

Issue: When we deploy Policy at FMC, update fail was occurred.

After occurred update fail, we tried again deploy policy but Deployment failed due to conflict with ongoing previous deployment. If problem persists aster retrying, contact Cisco TAC.

This is not first time, last night the same case was occurred, so we delete FP4120 device at FMC. After then we add device again and deploy policy it was OK. But tonight the same case was occurred again. Before PoV starting, We have to fix it

FMC Model and version : Cisco Firepower Management Center for VMWare (memory 16G, CPU 8 core) , version 6.0.1 (build 1213)

Managed Device model and version : FP4120 Threat Defense version 6.0.1 , Firewall is routed mode

Why happend this situation? I need your experience and advice for FTD

Regards,

OSung Kwon

6 Replies 6

Hi OSung,

I have this problem as well with FP4110 appliances with FTD logical devices running v6.1 in an HA failover pair in routed mode. Our setup is already used productively and I'm currently waiting for Cisco TAC to reply to my message. Removing the FTDs from FMC and re-adding them is currently no option for us because they are already heavily under load and used productively.

Regards

Florian

CCIE #37979 (R/S)

Hi Osung,

Cisco TAC (and developers!) helped me to solve my problem. It was related to the following bug: CSCuz65543 which is detailed here: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuz65543

Our customer had two network objects with "&" in the description which caused the policy deployment to fail. Even if you remove the "&" character in the GUI, the deployment still fails. They created a way to enter "conf t" on the LINA CLI to manually remove the "&" character from the description of the objects and then the policy was deployed without any issues.

TAC told me that they are not allowed to use this special way to access the CLI and that they have to involve the developers in order to take this path.

Regards

Florian

CCIE #37979 (R/S)

I love it how Cisco is handeling these kind of issues - you may configure it in the Management tool, but its not supported on the actual device..... :-(

And every time customers have to call the TAC to fix it....

nwannura
Level 1
Level 1

Symptom:
- Policy deployment takes 30 minutes and then fails on FMC due to a timeout
- Subsequent policy deployment fails with "Deployment failed due to conflict with ongoing previous deployment."

Conditions:
FTD 6.2.1+

Workaround:
1. login to the expert mode in FTD CLI
2. escalate to the root level with "sudo su"
3. do "pmtool restartbyid ngfwManager"

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg58754/?referring_site=bugquickviewredir

This solved my issue in GNS3 on a virtual FTD. Thanks so much

David Castro F.
Spotlight
Spotlight

Hi OSung Kwon,

 

I hope you are doing great,

 

Many issues with this FTDs are not rsolved through the same solution, so what I would recommend you to do is to debug the deployment and see the logs, many of those would tell you what is the FTD not accepting, sometimes it can be that the FMC can see the HA or Cluster of FTDs or an "systax error". You can debug it with the following commands:

 

FMC:

pigtail deploy

 

FTDs:

expert

sudo su

pigtail deploy

 

Keep us posted with the results whether it worked with one of the workaround provided or you can share this info,
 
Regards, 
 David Castro,
Review Cisco Networking for a $25 gift card