FTD's snort detection engine is going down

koustavb · ‎04-03-2023

I have an 4600 FMC (on 7.2.2-54) and three 4125 FTDs as container in a single chassis manager. While integrating those FTDs into the FMC the deployment after registration is always getting failed at 83%. In the health monitor section I can see the snort process is up and goes down when deployment is at 83% and the deployment history shows the below mentioned error - "Timeout to process traffic to snort engine".

Now the weird thing is that when I am integrating the FTD as a native instance by removing all containers the deployment is working fine. I am not getting any idea why the snort is going down while the FTDs are configured as container.

Any help would be appreciated.

balaji.bandi · ‎04-04-2023

it was seen some time back on 6.6 there was a bug but on 7.0 we did not notice this issue -

check any updates pending before you pushing any new policy - still have issue contact TAC

https://bst.cisco.com/bugsearch/bug/CSCvz19857?rfs=qvred

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

koustavb · ‎04-04-2023

Thanks for your response. There is no such pending update. Moreover, as my FMC is on 7.2.2 and said FTD instances are on 7.1.0, I thought this may be happening due to FMC-FTD version mismatch. So I did reconfigure these FTDs with 7.2.2 within the chassis and integrate into FMC (after this community post). But that too did not help. Also, according to your BST reference, it is saying for redeployment which also leads to failure.

FYI, these containerized FTDs were working fine when the FMC was on 7.1.0.1. As long as I can remember, the deployment started to fail after the FMC was upgraded to 7.2.2. Then I disintegrated these FTDs and tried to reintegrate and faced the issue.

c_s1 · ‎07-31-2023

Did you figure out how to fix this issue? I have the same issue occurring now.

koustavb · ‎08-04-2023

Hi,

I needed to remove the var/cisco/packages/vdb-361.tgz file located on
Active FMC.

After removing this file, I tried doing another deployment and deployment
was completed this time. After successful deployment, the Snort process
came up on the FTDs where this was failing.

c_s1 · ‎08-05-2023

Thank you very much!

rhingel · ‎07-31-2023

I suggest attempting a deploy, wait for the error to pop up while collecting logs from FMC & FTD and take note of the transaction ID that is shown under deployment history on your FMC.

Log on both FTD and FMC via CLI (command syntax is the same):

expert
sudo su
<enter your password>
pigtail deploy

Example:

> expert
admin@fmc:~$ sudo su
Password: 
Last login: Tue Aug  1 00:36:41 UTC 2023 on pts/0
root@fmc:/Volume/home/admin# 
root@fmc:/Volume/home/admin# 
root@fmc:/Volume/home/admin# pigtail deploy
<truncated due to log size>
Collated log written to pigtail-deploy-1690850205.log

Now try deploy from FMC to the FTD once you get pigtail deploy running on both ends.
Wait for the deploy to fail.

Hit CTRL+C to stop the log collection on both FMC and FTD. The log is automatically saved and can be moved to facilitate downloading.

On FTD: mv <file name> /ngfw/var/common/
On FMC: mv <file name> /var/common/

Now on FMC web interface, browse System > Health > Monitor. You should see a device list on the left side, click the FTD name > View System & Troubleshoot Details > Advanced Troubleshooting.

Put the name of the file and download it. You can also repeat this step to download the file you saved on your FMC.

With these files at hand, open a Cisco TAC SR and make sure you provide the transaction ID to the TAC engineer.

This article contains great information about this subject:

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw-virtual/215258-troubleshooting-firepower-threat-defense.html

c_s1 · ‎08-05-2023

Thank you very much, I appreciate your help.