02-01-2018 01:21 AM - edited 02-21-2020 07:15 AM
Hello!
I have an ASA5506X with FirePower: ASA version 9.8.2.15, ASDM version 7.8.2.151, FirePower version 6.2.2.1 (Build 73).The Default system policy does exist, but I can't change it ( please see attached screenshots). I have got the Invalid object type error. Tried another client OS, another ASDM version - still have no luck. I believe this error is not tied to the client management software. It's must be somewhat under the hood. Maybe in the MySQL database or elsewhere. Unfortunately, opening a TAC case is not an option this time.
Does anybody have an idea what causes of this error ?
P.S. previously asked there: https://supportforums.cisco.com/t5/network-management/asa-5506-x-firepower-can-t-change-system-policy/m-p/3322440
02-01-2018 06:10 PM
You show screenshots from both ASDM and FMC. A given Firepower module can only be managed by one or the other - never both at the same time. Which are you using?
On whichever one you are using, have you licensed the module with the Control license?
02-01-2018 09:49 PM
02-02-2018 12:21 AM
Ah OK - I had forgotten how similar some of the screens are when you strip away some of the ASDM frame.
It should be configurable in that case.
Since the editing window says your system policy is out of date, have you tried deploying whatever is pending first and then editing?
02-02-2018 02:12 AM
We are not the machines, Marvin, so absolutely no problem with that.
About your question: yes, I have tried to deploy changes.
Actually, there are no changes to be deployed as per my memory and, much interesting and important, as per FirePower. In spite of the green checkboxes (see the screenshot), I do pressed the "Deploy" button. Nothing unusual happend then: the deploy task was created and successfully finished. Nothing unusual in the syslog messages. After that I still can't change the default system policy. Also I have tried to manually fill the default policy fields, name and description, with the default values. After pressing "Save Policy and Exit" button I have got the "Duplicate policy name" error. I tried to save the policy with a custom name, still no luck. I rebooted the Firepower box, rebooted ASA - nothing changed.
02-02-2018 03:55 AM
OK, it certainly appears you are doing everything correctly.
It is looking more and more like a bug in the system behavior. There isn't anything about that in the published release notes, but that isn't always conclusive.
02-02-2018 04:28 AM
Yeah...Anyway, I really appreciate for your support! I understand, that in such a situation opening a TAC case, instead of asking at public forum, is would be preferred and maybe the only one right step.
02-02-2018 05:01 AM
We're happy to help here, though it's a strictly volunteer setup.
Lots of times common (or even uncommon) problems are things that those of who work with this sort of thing regularly have seen many times before.
02-02-2018 05:44 AM
All right, thanks ) By the way, I'm not the only person who have faced with the similar problem. Anyway, I will try to fix the problem by myself with a help of Internet. I still have some time before to start the reimaging.
Have a nice evening!
03-20-2018 08:28 AM
I have the same issue after upgrading from 6.2.0.2 to 6.2.2-81. it persists through 6.2.2.2 ASA5555-X
Managing via ASDM, similar symptoms excluding the 'duplicate policy' message.
For me it appears to have reset the System Policy and lost SNMP settings. NTP and Access List are still working but show up blank in the Policy. Attempting to save the entries results in the 'Error Invalid Object type'
I have case opened with TAC.
URL Filtering lookups to the cloud also broke in the upgrade, but I'll detail that in a separate post once I get some answers.
Regards
03-20-2018 11:58 PM
Thanks for your input! It would be great if you will post an answer or a solution given by the TAC.
03-24-2018 02:34 AM - edited 03-25-2018 10:22 PM
A couple of days ago I tried to fix the problem with manipulating withing MySQL database. Still no success. Finally, I decided to reinstall the module. I did install 6.2.2-81, then updated it to 6.2.2.2-109 and error is gone. So, in my opinion it seems to be that the error is tied to upgrade process, not to 6.2.2 as it is. Anyway, it's very interesting what TAC did/will say to John.
03-25-2018 11:47 AM
TAC did respond to say that the current 'solution' was to re-image the SFR.
He has sent the TS file and backup to engineering to see if they can provide a method to fix it without having to re-image.
As of Friday the current response was they have filed a defect for System Policy issue and escalated to engineering.
sharlino - following the re-image were you able to restore a backup or did you have to re-create your Firepower configuration from scratch over?
Thanks,
John
03-25-2018 10:20 PM
Hello John! Unfortunately I have a backup for 6.2.2.1, which is not qualified for 6.2.2.2. So, my only way is to recreate all the policies.
03-30-2018 09:05 AM
Hi, i have a same issue, Did the TAC answer something about a solution without re-imaging?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide