Solved: Unable to install FTD patch 6.2.3.1

test103 · ‎05-17-2018

Hey everyone,

I have a brand new FMC HA setup with two FTD's assigned.

The FMC pair is running 6.2.3.1 and I'm now trying to put the patch on the FTD firewalls as well.

When I try to upgrade I get an error.

This is the log output:

admin@dd-suc-fw01-scada:~$ tail -f /ngfw/var/log/sf/Cisco_FTD_Patch-6.2.3.1/status.log
state:running
ui:Upgrade has begun.
ui:[ 1%] Running script 000_start/000_check_update.sh...
ui:[ 1%] Running script 000_start/100_start_messages.sh...
ui:[ 3%] Running script 000_start/105_check_model_number.sh...
ui:[ 4%] Running script 000_start/106_check_HA_sync.pl...
ui:[ 5%] Running script 000_start/107_version_check.sh...
ui:[ 6%] Running script 000_start/109_check_HA_MDC_status.pl...
ui:[ 9%] Running script 000_start/125_verify_bundle.sh...
ui:[12%] Running script 000_start/400_run_troubleshoot.sh...
ui:[13%] Running script 200_pre/001_check_reg.pl...
ui:[14%] Running script 200_pre/002_check_mounts.sh...
ui:[15%] Running script 200_pre/003_check_health.sh...
ui:[17%] Running script 200_pre/009_check_snort_preproc.sh...
ui:[17%] Fatal error: Error running script 200_pre/009_check_snort_preproc.sh

Any help would be really appreciated. Maybe an interesting note, I'm also unable to push an Access Control Policy to these devices. I don't know if the two are related. But as FMC is on 6.2.3.1 I assumed it was best to have FTD also on 6.2.3.1

Thanks

test103 · ‎06-12-2018

Patch 6.2.3.2 has been released. This resolved above issues.

Stijn

View solution in original post

test103 · ‎05-18-2018

Ok so after a bit more troubleshooting I found the following in the /var/log/update.status:

**********************************************************
OUT: [180517 14:59:39:999] Starting script: 200_pre/009_check_snort_preproc.sh
OUT: Entering 200_pre/009_check_snort_preproc.sh...
OUT: 
OUT: Incompatible Dynamic Preprocessors detected! Please reapply policy before continuing. If this error continues, contact support.
OUT: **********************************************************

This made me decide to downgrade back to 6.2.3 on FMC. After the downgrade I'm able to push the Access Control Policy towards the firewall.

So an overview of the problem I was facing:

FMC HA pair was on 6.2.3.1

FTD was on 6.2.3

I was unable to push the ACP and was getting the error:

May 18 06:40:29 The 'source' parameter ("/var/cisco/deploy/sandbox/snort-pkg/usr/local/sf/lib/snort/2.9.12-204/bin/fwrulechecker") to SF::System::copy did not pass the 'Type Validator (system.file)' callback

I was unable to upgrade FTD to 6.2.3 and was getting the error I pasted above.

I was unable to do a snort rule upgrade on the FTD's. FMC was able to download them and install them on FMC but not on FTD.

I also tried to manually install 6.2.3.1 on FTD but that generated the following error:

admin@ftd:/ngfw/var/sf/updates$ sudo install_update.pl --readiness-check6.2.3.1-43.sh.REL.tar
ARGV[0] = --readiness-check
ARGV[1] = Cisco_FTD_Patch-6.2.3.1-43.sh.REL.tar
install_update.pl begins. bundle_filepath: Cisco_FTD_Patch-6.2.3.1-43.sh.REL.tar
System (/ngfw/usr/local/sf/bin/verify_signed_image.sh -s /ngfw/var/tmp/sigstatus_uBvPa0Ty -i Cisco_FTD_Patch-6.2.3.1-43.sh.REL.tar) Failed to verify signature. at /ngfw/usr/local/sf/lib/perl/5.10.1/SF/System/Privileged.pm line 6001.
Package has bad signature! Cisco_FTD_Patch-6.2.3.1-43.sh.REL.tar at /ngfw/usr/local/sf/lib/perl/5.10.1/SF/Update.pm line 370.
Update is not valid at /ngfw/usr/local/sf/bin/install_update.pl line 485.

So as far as I can see I can't use patch1 for 6.2.3

When I upgrade the FMC 6.2.3 I'm unable to push an APC or upgrade FTD. I have a feeling both issues are linked together and generate a catch22.
Any thoughts?

test103 · ‎06-12-2018

Patch 6.2.3.2 has been released. This resolved above issues.

Stijn