cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5476
Views
5
Helpful
22
Replies

ASA 5506-X, FirePower, can't change system policy

sharlino
Level 1
Level 1

Hello!
I have an ASA5506X with FirePower: ASA version 9.8.2.15, ASDM version 7.8.2.151, FirePower version 6.2.2.1 (Build 73).The Default system policy does exist, but I can't change it ( please see attached screenshots). I have got the Invalid object type error. Tried another client OS, another ASDM version - still have no luck. I believe this error is not tied to the client management software. It's must be somewhat under the hood. Maybe in the MySQL database or elsewhere. Unfortunately, opening a TAC case is not an option this time.
Does anybody have an idea what causes of this error ?

P.S. previously asked there: https://supportforums.cisco.com/t5/network-management/asa-5506-x-firepower-can-t-change-system-policy/m-p/3322440

22 Replies 22

Hi! I don't have a service contract for that ASA, so I can't open a case. Maybe John (see posts above) have some updated information.

I have asked TAC for an update.

There is now a Bug associated with the issue:



Unable to edit the system policy of a SFR module via ASDM after upgrading to 6.2.2

CSCvi63474

Description

Symptom:

Opening the System Policy UI in ASDM (Configuration -> ASA FirePOWER Config -> Local -> System Policy) results in a "ERROR - Invalid object type" warning and an empty system policy

Conditions:

upgrade from 6.2.0.x to 6.2.2

Workaround:

None


Thank you for sharing the bug number.  I have set up notifications to see when they have more info.

An additional note from TAC regarding the re-image/restore process:

"As for the re-image and restore. You are correct. A backup will not work in this instance as it would pull the bad object with it. I did test this in the lab. Since a backup would not work here, I tested another option of exporting policies and importing them into a re-imaged ASA configuration. I was able to import all policies back into the re-imaged SFR module without the object error."

 

I'm now in the process of planning the re-image procedure which is challenging since my unit is in a Security Management zone at a remote DC without access to an internal ftp or http server to host the package.

 

I wish you luck!

Hi All,

 

I have same issue but I'm on 6.2.3 upgraded from 6.2.2.2-81. However my url filtering is broken too. Everything is seen but just as 'uncategorized', but firepower can reach and resolve to brightcloud correctly.

 

jon you say 'URL Filtering lookups to the cloud also broke in the upgrade, but I'll detail that in a separate post once I get some answers.' Could you shed some light please?

 

Thanks,

 

H

 

 

hht,

Turns out the URL filtering is separate bug: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvi45989/?rfs=iqvred

It is not related to upgrading, I was going through the re-image process on my lab 5506-x and the URL issue occurs when managing it from ASDM.

 

Workaround is to toggle "Lookup Uncategorized domains" off/on under  Configuration > Integration > Cisco CSI

You will need to do this every time the module or ASA is rebooted.

 

I opened a case and there is no ETA on a fix, if Firepower is managed by an FMC and not ASDM the issue doesn't occur.

 

John

Excellent John see attached for outcome ;)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: