HI, i am OSung
we were discussed about prepare for FP4120 FTD (Firepower Threat Defense) PoV
BUT FP4120 FTD Policy deploy fail issue
Issue: When we deploy Policy at FMC, update fail was occurred.
After occurred update fail, we tried again deploy policy but “Deployment failed due to conflict with ongoing previous deployment. If problem persists aster retrying, contact Cisco TAC.”
This is not first time, last night the same case was occurred, so we delete FP4120 device at FMC. After then we add device again and deploy policy it was OK. But tonight the same case was occurred again. Before PoV starting, We have to fix it
FMC Model and version : Cisco Firepower Management Center for VMWare (memory 16G, CPU 8 core) , version 6.0.1 (build 1213)
Managed Device model and version : FP4120 Threat Defense version 6.0.1 , Firewall is routed mode
Why happend this situation? I need your experience and advice for FTD
I have this problem as well with FP4110 appliances with FTD logical devices running v6.1 in an HA failover pair in routed mode. Our setup is already used productively and I'm currently waiting for Cisco TAC to reply to my message. Removing the FTDs from FMC and re-adding them is currently no option for us because they are already heavily under load and used productively.
Cisco TAC (and developers!) helped me to solve my problem. It was related to the following bug: CSCuz65543 which is detailed here: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuz65543
Our customer had two network objects with "&" in the description which caused the policy deployment to fail. Even if you remove the "&" character in the GUI, the deployment still fails. They created a way to enter "conf t" on the LINA CLI to manually remove the "&" character from the description of the objects and then the policy was deployed without any issues.
TAC told me that they are not allowed to use this special way to access the CLI and that they have to involve the developers in order to take this path.
I love it how Cisco is handeling these kind of issues - you may configure it in the Management tool, but its not supported on the actual device..... :-(
And every time customers have to call the TAC to fix it....
- Policy deployment takes 30 minutes and then fails on FMC due to a timeout
- Subsequent policy deployment fails with "Deployment failed due to conflict with ongoing previous deployment."
1. login to the expert mode in FTD CLI
2. escalate to the root level with "sudo su"
3. do "pmtool restartbyid ngfwManager"
Hi OSung Kwon,
I hope you are doing great,
Many issues with this FTDs are not rsolved through the same solution, so what I would recommend you to do is to debug the deployment and see the logs, many of those would tell you what is the FTD not accepting, sometimes it can be that the FMC can see the HA or Cluster of FTDs or an "systax error". You can debug it with the following commands: