Solved: FTD deployment issues after upgrading to 6.6

Chess Norris · ‎10-12-2020

I am in the process of upgrading a bunch of ASA 5508-X from FTD version 6.3 to 6.6.

They are all setup in failover pairs with a couple of sub interface.

All the configuration is basically the same except for the interface address configuration and ACPs.

After the upgrade, I was able to successfully deploy the policy's to most of them, but two of them

return an error and wouldn't go through with the deploy.

This is the output I can see in the detail deploy output.

FMC >> failover mac address GigabitEthernet1/1 0E12.0105.0001 0E12.0105.0002
FRGRFW1a >> error : ERROR: Configure nameif for the interface GigabitEthernet1/1 to configure failover mac
Config Error -- failover mac address GigabitEthernet1/1 0E12.0105.0001 0E12.0105.0002
Other logs

Lina config ROLLBACK failure log
Lina configuration application failure. Error in lina apply phase due to Config Error response from LINA

I suspect I need to create a TAC case, but I am curious if someone seen this error before?

Thanks

/Chess

Marius Gunnerud · ‎10-12-2020

Looks like you might be hitting this bug (even though this bug states 6.5.0):

Symptom:
Firepower Management Center (FMC) deployment failure to managed devices recently upgraded to 6.5.0.

FMC transcript shows the following error.

FMC >> failover mac address Ethernet1/4 1234.1234.aabb 1234.1234.bbaa
FTDHA >> error : ERROR: Configure nameif for the interface Ethernet1/4 to configure failover mac
Config Error -- failover mac address Ethernet1/4 1234.1234.aabb 1234.1234.bbaa

The /nfw/var/log/ASAConsole.log file shows the following errors when the FTD boots up with the new version.

2019-10-07 15:26:17 ERROR: Failover mac address cannot be configured when failoveris disabled
2019-10-07 15:26:17 *** Output from config line 1218, "failover mac address Eth..."

Conditions:
FTD on HA
FTD version 6.5.0
To have Interfaces MAC addresses configured for interfaces without a name.

Workaround:
Removing the MAC addresses for interfaces that aren't named allows the deployments to complete. This workaround doesn't represent any behavior change as unnamed interfaces can't be used until a name is given to them.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr57984/?rfs=iqvred

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎10-12-2020

Looks like you might be hitting this bug (even though this bug states 6.5.0):

Symptom:
Firepower Management Center (FMC) deployment failure to managed devices recently upgraded to 6.5.0.

FMC transcript shows the following error.

FMC >> failover mac address Ethernet1/4 1234.1234.aabb 1234.1234.bbaa
FTDHA >> error : ERROR: Configure nameif for the interface Ethernet1/4 to configure failover mac
Config Error -- failover mac address Ethernet1/4 1234.1234.aabb 1234.1234.bbaa

The /nfw/var/log/ASAConsole.log file shows the following errors when the FTD boots up with the new version.

2019-10-07 15:26:17 ERROR: Failover mac address cannot be configured when failoveris disabled
2019-10-07 15:26:17 *** Output from config line 1218, "failover mac address Eth..."

Conditions:
FTD on HA
FTD version 6.5.0
To have Interfaces MAC addresses configured for interfaces without a name.

Workaround:
Removing the MAC addresses for interfaces that aren't named allows the deployments to complete. This workaround doesn't represent any behavior change as unnamed interfaces can't be used until a name is given to them.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr57984/?rfs=iqvred

--
Please remember to select a correct answer and rate helpful posts

Chess Norris · ‎10-12-2020

Thanks,

I did remove the MAC and had no problem deploying. After the deploy was finished, I noticed that I didn't even had the choice anymore to select the physical interface. I will set up failover MAC addresses on the sub-interfaces instead.

/Chess