Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
On a FTD device configured as a NetFlow exporter, rebooting the device renders it inoperable, it does not pass network traffic, and any HA/clustering functionality is suspended/disabled. In FDM deployments where you are using data interfaces for management, you cannot access the device that way. However, the device is still accessible via console or the device management IP address. In FMC deployments, the device is still communicating with the FMC. The pmtool status command confirms that the device traffic handling capability is down: 1. Access the Firepower CLI on the device. Log in as admin or another Firepower CLI user with configuration access. In FDM deployments where you are using data interfaces for management, you will probably need to use the console to log in. In that scenario, some devices default to the operating system CLI, and require an extra step to access the Firepower CLI: Firepower 1000/2100 series: connect ftd Firepower 4100/9300 chassis: connect module slot_number console, then connect ftd (first login only) 2. At the Firepower CLI prompt, use the expert command to access the Linux shell. 3. Use the pmtool status command, entering your password when prompted: sudo pmtool status | grep " - Down" If you are affected, you will see output similar to the following: ngfwManager (normal) - Down ASAConfig (normal) - Down ftw_monitor (normal) - Down (de,snort) - Down (de,snort) Down
Reboot a Version 6.6.1-90 FTD device for any reason while the device is configured as a NetFlow exporter. This includes the Version 6.6.1-90 post-upgrade reboot. This issue affects: FTD devices upgrading to Version 6.6.1-90, where you have already configured the device for NetFlow. FTD devices running Version 6.6.1-90, where you plan to configure the device for NetFlow. Note You must use FlexConfig to configure this feature: flow-export destination.
Workaround options: 1. Already experiencing failure If you are already experiencing this issue, contact Cisco TAC. 2. Running Version 6.2.3 through Version 6.6.0 If you have not yet upgraded to Version 6.6.1, use Version 6.6.1-91. If you already downloaded Version 6.6.1-90, do not use it. 3. Running Version 6.6.1-90 on an FTD device If you already successfully upgraded FTD to Version 6.6.1-90, do not configure NetFlow until you apply Hotfix A. Note If you never configure your device for NetFlow, you will not experience this issue. However, we recommend you apply the hotfix as a precautionary measure. 4. Running Version 6.6.1-90 on any other platform It is safe to continue running Version 6.6.1-90 on all FMCs, ASA FirePOWER modules, and NGIPSv.
Software Advisory: Inoperable FTD Device/NetFlow Exporter after Reboot (CSCvv69991): https://www.cisco.com/c/en/us/td/docs/security/firepower/SA/SW_Advisory_FTD_NetFlow_CSCvv69991.html