Solved: Variable Set Failed Validation - Page 2

Christopher Bell · ‎02-22-2016

Hello,

Last Friday I took the time to upgrade our FMC to 6.0 from 5.4.1.5. The SFRs are all still running 5.4.1.5 code. After the upgrade I found the policies had to be reapplied to each of the devices under the "Deploy" button at the top now (this took me a while to figure out). When I tried to apply the policies as they were in 5.4.1.5, I got warnings for each of my rule sets that said "Variable Set Failed Validation". On a 5506 we have in a test environment I was able to push past the warnings and apply the policies anyway. This resulted in all the policies being removed completely. For the production devices (5525, 5545, 5515) I'm not able to push past the warning - FMC wants the issues resolved before it will allow you to reapply the policies.

Any ideas on where to look or what may be causing this? We aren't using any custom variables. Filtered screenshot attached from FMC and two of the rules in one policy for one device.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.

Christopher Bell · ‎02-26-2016

Just to update this, I've seen this now in 6.0.0.1 as well now when trying to apply policies.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.

cabell911 · ‎04-12-2016

Seems to be a known issue going from 6.0.0.1 to 6.0.1. I encountered the same error and found the following solution from another board just before calling TAC.

"PSA: don't upgrade to 6.0.1 if you're using custom object groups in your variables. You'll wind up with an error "variable set validation failed" in the policy view, and if you try to edit a variable with a custom object group you'll get "Can't use an undefined value as an ARRAY reference at /usr/local/sf/lib/perl/5.10.1/SF/EODataHandler/VariableSet.pm line 1276....".

The only workaround at this point is to use plain objects in the variables, or make faux object groups by creating a new variable and adding the objects to it, then referencing the faux variable in other variables (confused yet?).

Cisco's filing a bug on this one."

Christopher Bell · ‎04-13-2016

That's good info thanks cabell911. I was within 24-48 hours of moving from the bug riddled 6.0.0.1 to 6.0.1. Maybe I'll wait for a patch to hit 6.0.1.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.

Christopher Bell · ‎04-13-2016

Actually, how do you NOT have custom variable sets if you are using the IPS capabilities? You have to define a "HOME" and "EXTERNAL" net don't you? They are listed under customized variables. Are you talking about possibly other customized sets?

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.

cabell911 · ‎04-14-2016

I'm under the assumption that if the IPS policy is applied with a source zone at a minimum that it would be fine. I could be wrong.

J

Nathan Gagne · ‎07-08-2016

Came across this while looking to see if that bug was fixed - that's me you quoted from reddit :)

Here's the official bug ID from Cisco; no resolution as of yet. https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuz03275