cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2496
Views
5
Helpful
12
Replies

FTD HA managed via FMC

shaikh.zaid22
Level 1
Level 1

Hi, i am managing a pair of FTD 2110s via FMC, and since yesterday we had a electricity preventive maintenance in our premises, post that, the  devices came UP fine, however i am seeing these errors while deploying new config as well as under device managament. i have attached below.

12 Replies 12

shaikh.zaid22
Level 1
Level 1

I see the standby FTD shows : "pseudo-Standy"

SSH into your FTD active. give command

> show high-availability config

and see the both pair monitoring interfaces. if some/one is not-monitor and on the active if montor go to FMC Devices high-avability and check the active-standby interface are in monitor mode.

also jump on your switch and check if the port -channel is up. if some of the  ports are down on port-channel you need to work out which port is down (it could be likly due to Standby pair)

I noted your secondary is disable that seem to be a bug here its bug number CSCvd40915 and CSCuz79013

please do not forget to rate.

Hi sheraz,

 

I had fixed the HA issue. However, while deploying new config or changes on the firewall am getting an error of "Deploy failed due to config error. If issue persists please contact Cisco TAC".

Now what shall i do? please guide

what version of FMC you on?

Its too early to say anything what issue trigger to failing the deployment.

Login to FMC CLI and elevate to root mode and check the pigtail logs.

 

FTD/FMC has a troubleshooting tool called "pigtail deploy" (in linux mode) to show all deployment related debug logs in one session. I recommend to redirect a console output to a text file since they have a lot of outputs. Then, you need to find key word "ERROR:" to spot what FMC  is complaining about.

 

[How to use "pigtail deploy"]

 

--FMC

admin@firepower:~$ sudo su -
Password:
root@firepower:~# pigtail deploy

 

Let it run until deployment fails and then check the logs (they would be huge) which would provide better understanding of the failure.

 

please do not forget to rate.

Thanks sheraz,

 

FMC ver is 6.4.7

 

i will do that and let u know here. 

i also had a word with tech support with a contractor and he suggested to restart the fmc

sure let us know how it goes happy to help

please do not forget to rate.

How to stop the pigtail deploy plz help me with the command as well before i start.

Hi, I have attached the pigtail output please look into it, i will be waiting for your inputs.

 

Thanks and Appreciate

Shaikh could you please confirm the HA is in good health?

as i noted a error

[ERROR],(FTDDeploymentStatusUtility.java:628),DeploymentConstants.CD_INCOMPLETE_LINA_APPLY is Lina Config application was incomplete as unit is transitioning to standby,com.cisco.nm.vms.ccm.FTDDeploymentStatusUtility,  pool-6-thread-1

 

can you log into problemetic

--FTD

admin@firepower:~$ sudo su -
Password:
root@firepower:~# pigtail deploy

 

 

also could you log into problmetic --FTD

 >expert

sudo sfconsole

 

FTD> en

password:

!

show filover | i host

 

 

please do not forget to rate.

hi sheraz, 

 

i have taken the pigtail output attached herewith. Also i opened case with TAC, they did the same thing and said will come back after analyzing the output. 

that great to hear you also open a TAC case with cisco. could you confirm you having issues deploying the policy to active FTD or passive FTD?

looking into your logs I noted few

MSGS: 02-22 13:02:01 firepower SF-IMS[6750]: [6842] ADI:adi.SubscriberChannel [ERROR] Timeout while receiving response

NGFW: 02-22 13:07:50 ccm[16450] Thread-20: ERROR com.cisco.ngfw.configdispatcher.actions.ClusterAppConfigApplyActions- app sync failure  with error code device_failure_configuration

NGFW: 02-22 13:07:50  Cluster App Un Archive failure on Standby/Slave Unit Node Id: 1

NGFW: 02-22 13:07:50  Need to do App/Sensor Configuration Rollback

NGFW: 02-22 13:07:50  App/Sensor config apply fails on following slave nodes:[1]

NGFW: 02-22 13:07:50 ccm[16450] Thread-20: INFO 

 

 

let see what TAC advise you as they have more experiance team. I think we you trying to reboot the standby FTD and try to push the policy again.

please do not forget to rate.

I am deploying the config via the FMC. The FTDs are showing as Active/Standby Ready. 

Since yesterday cisco had taken the logs and pigtail output and i think they are trying to replicate the scenario internally. They had asked for sometime to provide feedback.

I will update here further course of action.

Thanks sheraz for your great help and insights.  l learned something new from you about tshooting the FTDs and FMC