Solved: Help! FTD dropped off management

mhmservice · ‎02-05-2021

We have a number of ASA5506 running FTD 6.2.3 managed with FMC

One of the devices is not sending heartbeats to the management even after a reboot

I logged in to the device over SSH and found that "show managers" command doesn't show anything:

> show managers
No managers configured.

I try to add the manager and get this horrible error:

> configure manager add <FMC IP> <KEY>
getPeersByRole: unable to connect to db at /ngfw/usr/local/sf/lib/perl/5.10.1/SF/PeerManager/Peers.pm line 226.
Unable to access DetectionEngine::bulkLoad

I tried to run "manage_procs.pl" from a shell but get this error:

root@FW:/home/admin# manage_procs.pl

**************** Configuration Utility **************

1 Reconfigure Correlator
2 Reconfigure and flush Correlator
3 Restart Comm. channel
4 Update routes
5 Reset all routes
6 Validate Network
0 Exit

**************************************************************
Enter choice: 3

Unable to connect to database: at /ngfw/usr/local/sf/lib/perl/5.10.1/SF/PeerManager/PeerInfo.pm line 184.

What can be done?

mhmservice · ‎04-21-2021

TAC didn't give me any other options than to reimage the device. Was a real pain to get someone on site to connect a console but eventually managed that and did the reimage. Reimage solved the problem but it really makes me worried some more may fail ... oh well....

View solution in original post

Marvin Rhoads · ‎02-05-2021

I'd take that one up with the TAC. The things you checked are what I would have done. If that fails, it's something very low level and the TAC is best equipped to handle that.

If it were just a Firepower service module I would say reimage it. But as an FTD device that would be very disruptive. Hopefully TAC can work some magic with the database and get it back to communicating with FMC.

Tyson Joachims · ‎02-05-2021

FTDs run a lot of databases and do not like to have a sudden power loss. It's possible that this has happened which has really messed some things up. If the device is working currently (passing traffic and users are able to get to the Internet, etc) then you can schedule a maintenance window and have TAC look at it in the mean time. If the device has reverted to factory defaults and the site is completely down, I'd look at re-imaging the device (make sure you image it with 6.2.3 since that is as high as you can go with the 5506-X). Here's the instructions for re-imaging: https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/reimage/asa-ftd-reimage.html#id_51368. After re-image, try joining back to the FMC.

If that doesn't work, & TAC can't help, well.... it might be toast.

Oliver Kaiser · ‎02-06-2021

+1 for TAC Case. There were some issues in 6.2.3 with database corruption and disk cleanup procedures that did not run correctly, which might explain why the mysql is not running on you device causing all kinds of issues in the backend of FTD. You could dig deeper in theory but the quickest way to resolve this is through TAC.

mhmservice · ‎04-21-2021

TAC didn't give me any other options than to reimage the device. Was a real pain to get someone on site to connect a console but eventually managed that and did the reimage. Reimage solved the problem but it really makes me worried some more may fail ... oh well....