Loading...
Loading...
1) The next message is constantly seen on the Firepower Management Center Notifications list: "The Primary Detection Engine process terminated unexpectedly 1 time(s)." AND/OR 2) Failover events with the next reason. "Detect Inspection engine failure due to snort failure" AND/OR 3) Inspection interruption in routed/transparent mode (without inline sets) if snort-down open option is configured. or service interruption if snort-down closed option is enabled. AND/OR 4) Policy Deployment failures due to snort being down.
Firepower Management Center (FMC) was recently upgraded to 6.2.3.14 or 6.4.0.2 Firepower Threat Defense (FTD) code used. High Availability (failover) enabled. This could potentially be caused after a failover event, a policy deployment or during connection replication between HA mates.
1) Uninstall 6.4.0.2 or 6.2.3.14 patch from the FMC. 2) Suspend or Break HA. 3) In the event that you are unable to deploy to the devices due to this issue, or even after downgrading/patching the FMC, you can check the following: From the CLI of all FTD devices, make sure the the DetectionEngine processes are all up and running: pmtool status And look and entry that starts like the following: 37fc3d92-913e-11e9-98c4-cae8e4484e13-d02 (de,snort) - Down d02 is the detection engine instance, so you may have multiple of these depending on the model of the device and settings. Make sure all entries of type (de,snort) are in the "Running" state. If you see any of them are in a down state, you can run the following command to attempt to bring them back up: pmtool enablebytype DetectionEngine After this all instances should look similar to the below: 37fc3d92-913e-11e9-98c4-cae8e4484e13-d02 (de,snort) - Running 17433 Attempts to deploy should now be successful, unless one of the detection engines goes down again, in which cause simply run the enablebytype command again.
The fix for this bug will only be applied until the FMC has finished the policy deployment to the devices once the hotfix has been installed. If there are policy deployment failures due to snort being down (caused by the same bug) after installing the hotfix on the FMC, there are two options: If the crashes not very constant: > Follow the instructions for workaround number 3 If the crashes are very constant: Break HA to allow the deployment with the fix to be pushed to managed devices.
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.