BugZero | Cisco BugID CSCvv04441 - ngfw.rules mismatch between Primary and Secondary ...

Cisco - Defect ID: CSCvv04441

ngfw.rules mismatch between Primary and Secondary FTD HA when RA-VPN is configured before upgrade

Cisco - Defect ID: CSCvv04441

ngfw.rules mismatch between Primary and Secondary FTD HA when RA-VPN is configured before upgrade

Last updated on April 25th, 2024

BugZero Risk Score
8.0 High

Overall: 8.0

Severity: 8.2

Lifecycle: 9.1

Popularity: 6.9

What is the BugZero Risk Score?

Cisco Integration

Learn more about where this data comes from

Cisco Integration

Learn more

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

Learn more

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise

Learn more

Bug Details

Views: 1

Description

Symptom

One or more of the below symptoms can be observed: 1. ngfw.rules mismatch between active and standby after upgrade. 2. After upgrade, App sync may fail on the standby and it will go to disabled state.

Conditions

All of the below conditions have to be met to hit this issue: 1. Before an upgrade, configure RA VPN with multiple any-connect packages. Followed by multiple other policy deployment. 2. One node goes out of HA and joins back. OR one node is rebooted. 3. After the node join, HA is upgraded. Note that all these three conditions have to be met to hit this issue.

Workaround

After the upgrade, if ngfw rules are not matching, perform a deployment from FMC. That will bring the rules to be in sync. After the upgrade, if node is going to disabled state, then perform a deployment from FMC when only Active device is there. After the deployment is successful on the active node, in the SFR CLI of Disabled node, perform "configure high-availability resume".

Further Problem Description

Change history

2024-04-25 Added: 6.6.1, 6.6.5, 6.7.0

Top Cisco Defects

9.7Defect ID: CSCvw95683
Catalyst 1000 Switch may exhibit random Crash/Hang/Silent-Reload.
9.7Defect ID: CSCvz07394
2960X Stack may observe hang/freeze of member switches or complete stack.
9.7Defect ID: CSCwa82553
ISE 3.1 default route is on the incorrect interface if bonding is configured
9.7Defect ID: CSCwa47133
ISE Evaluation log4j CVE-2021-44228
9.7Defect ID: CSCwc94466
Cisco ASA/FTD Firepower 2100 SSL/TLS Denial of Service Vulnerability

Ready to prevent the next vendor outage?

Get a demo

Cisco - Defect ID: CSCvv04441

ngfw.rules mismatch between Primary and Secondary FTD HA when RA-VPN is configured before upgrade

Cisco - Defect ID: CSCvv04441

ngfw.rules mismatch between Primary and Secondary FTD HA when RA-VPN is configured before upgrade

Last updated on April 25th, 2024

BugZero Risk Score8.0 High

Bug Details

Symptom

Conditions

Workaround

Further Problem Description

Links

Top Cisco Defects

Ready to prevent the next vendor outage?

BugZero Risk Score
8.0 High