Hi sheraz,

I had fixed the HA issue. However, while deploying new config or changes on the firewall am getting an error of "Deploy failed due to config error. If issue persists please contact Cisco TAC".

Now what shall i do? please guide

what version of FMC you on?

Its too early to say anything what issue trigger to failing the deployment.

Login to FMC CLI and elevate to root mode and check the pigtail logs.

FTD/FMC has a troubleshooting tool called "pigtail deploy" (in linux mode) to show all deployment related debug logs in one session. I recommend to redirect a console output to a text file since they have a lot of outputs. Then, you need to find key word "ERROR:" to spot what FMC  is complaining about.

[How to use "pigtail deploy"]

--FMC

admin@firepower:~$ sudo su -
Password:
root@firepower:~# pigtail deploy

Let it run until deployment fails and then check the logs (they would be huge) which would provide better understanding of the failure.

Thanks sheraz,

FMC ver is 6.4.7

i will do that and let u know here. 

i also had a word with tech support with a contractor and he suggested to restart the fmc

sure let us know how it goes happy to help

How to stop the pigtail deploy plz help me with the command as well before i start.

Hi, I have attached the pigtail output please look into it, i will be waiting for your inputs.

Thanks and Appreciate

Shaikh could you please confirm the HA is in good health?

as i noted a error

[ERROR],(FTDDeploymentStatusUtility.java:628),DeploymentConstants.CD_INCOMPLETE_LINA_APPLY is Lina Config application was incomplete as unit is transitioning to standby,com.cisco.nm.vms.ccm.FTDDeploymentStatusUtility,  pool-6-thread-1

can you log into problemetic

--FTD

admin@firepower:~$ sudo su -
Password:
root@firepower:~# pigtail deploy

also could you log into problmetic --FTD

 >expert

sudo sfconsole

FTD> en

password:

!

show filover | i host

hi sheraz, 

i have taken the pigtail output attached herewith. Also i opened case with TAC, they did the same thing and said will come back after analyzing the output. 

that great to hear you also open a TAC case with cisco. could you confirm you having issues deploying the policy to active FTD or passive FTD?

looking into your logs I noted few

MSGS: 02-22 13:02:01 firepower SF-IMS[6750]: [6842] ADI:adi.SubscriberChannel [ERROR] Timeout while receiving response

NGFW: 02-22 13:07:50 ccm[16450] Thread-20: ERROR com.cisco.ngfw.configdispatcher.actions.ClusterAppConfigApplyActions- app sync failure  with error code device_failure_configuration

NGFW: 02-22 13:07:50  Cluster App Un Archive failure on Standby/Slave Unit Node Id: 1

NGFW: 02-22 13:07:50  Need to do App/Sensor Configuration Rollback

NGFW: 02-22 13:07:50  App/Sensor config apply fails on following slave nodes:[1]

NGFW: 02-22 13:07:50 ccm[16450] Thread-20: INFO 

let see what TAC advise you as they have more experiance team. I think we you trying to reboot the standby FTD and try to push the policy again.

I am deploying the config via the FMC. The FTDs are showing as Active/Standby Ready. 

Since yesterday cisco had taken the logs and pigtail output and i think they are trying to replicate the scenario internally. They had asked for sometime to provide feedback.

I will update here further course of action.

Thanks sheraz for your great help and insights.  l learned something new from you about tshooting the FTDs and FMC