Symptom
If custom SSLCipher is set via FDM REST API on an FTD, upgrade to 6.6.0 and 6.6.1 is failing on object validation in 800_post/100_ftd_onbox_data_import.sh
Conditions
Custom SSLCipher is set via FDM REST API
Configured ciphers require strong encryption license
Workaround
Revert SSLCipher changes and then try to upgrade
Further Problem Description
Following errors can be found in /ngfw/var/log/sf/Cisco_FTD_Upgrade-6.6.1/800_post/100_ftd_onbox_data_import.sh.log:
[2020-11-04 17:03:39.067]2020-11-04 15:23:17 main: ERROR IdEntityImportValidationHandler:233 - Got non-licensing validation failure (SSLCipher): VAL.SSLCipherProtocolMissingAlgorithms-Selected protocol versions TLSV1_2,DTLSV1 should have at least one supported algorithm assigned.
[2020-11-04 17:03:39.067]2020-11-04 15:23:17 main: ERROR IdEntityImportValidationHandler:233 - Got non-licensing validation failure (SSLCipher): VAL.SSLCipherUnsupportedAlgorithms-Configured cipher algorithms ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,DHE-RSA-AES256-SHA,ECDHE-
[...]
[2020-11-04 17:03:39.070]2020-11-04 15:23:43 main: INFO UpgradeSqliteToNeo4jImporter:187 - Validation failed for IdEntity SSLCipher(369)/acb81476-1ce7-11eb-8a2d-5ddf6a2ff8d7 (DEPLOYED)
[2020-11-04 17:03:39.070]Entity imported: SSLCipher(369)/acb81476-1ce7-11eb-8a2d-5ddf6a2ff8d7 (DEPLOYED), validation failure: Selected protocol versions TLSV1_2,DTLSV1 should have at least one supported algorithm assigned.
[2020-11-04 17:03:39.070]Entity imported: SSLCipher(369)/acb81476-1ce7-11eb-8a2d-5ddf6a2ff8d7 (DEPLOYED), validation failure: Configured cipher algorithms ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,DHE-RSA-AES256-SHA,ECDHE-RSA-AES256-GCM-SHA384,AES256-SHA,DHE-RSA-AES128-SHA,DHE-RSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-SHA384,DHE-RSA-AES256-SHA256 are either not supported in this version of FTD or not a valid algorithm for the selected protocol versions.
