OPERATIONAL DEFECT DATABASE
...
...
When the portmanager or lacp process unexpectedly terminates, the symptoms below are observed. In this case, the primary unit is initially active, and the secondary is standby. - On the FTD console diagnostic interface any of these messages appear ASA1/act/pri(config)# Mar 1 22:38:57 firepower-2120 port-manager: ERROR: lacp DIED !!!!! ASA1/act/pri(config)# Mar 1 22:51:21 firepower-2120 port-manager: ERROR: portmanager DIED !!!!! If logging is enabled, then syslog message are generated : ASA1/act/pri(config)# Mar 1 22:56:35 firepower-2120 port-manager: ERROR: lacp DIED !!!!! %ASA-2-199014: port-manager: ERROR: lacp DIED !!!!! ASA1/act/pri(config)# Mar 1 22:59:21 firepower-2120 port-manager: ERROR: portmanager DIED !!!!! %ASA-2-199014: port-manager: ERROR: portmanager DIED !!!!! - On the affected unit failover, all data and the Internal-Data 0/1 interfaces transition to DOWN state: firepower/act/pri# show int ip brief Interface IP-Address OK? Method Status Protocol Internal-Data0/1 unassigned YES unset down up Port-channel1 unassigned YES unset down down Port-channel1.10 198.51.100.1 YES CONFIG down down Port-channel1.20 198.51.100.129 YES CONFIG down down Port-channel10 203.0.113.1 YES unset down down - Both units in high availability (HA) temporarily become active, i.e. split-brain occurs. firepower# show failover state State Last Failure Reason Date/Time This host - Primary Active Ifc Failure 22:39:23 UTC Mar 1 2022 Other host - Secondary Failed Comm Failure 22:54:47 UTC Mar 1 2022 firepower# show failover state State Last Failure Reason Date/Time This host - Secondary Active None Other host - Primary Failed Comm Failure 22:54:47 UTC Mar 1 2022 - Even if there is a temporary split-brain, in fact, the primary unit does not receive and handle traffic as long as portmanager process is not operational. The secondary unit is active and handles traffic. Next-hop MAC addresses on the peer devices are resolvable via the interfaces connected to the secondary unit. - When the portmanager process is operational, and interfaces are in UP state, the secondary unit transitions detects active role on the primary unit ASA1/act/sec(config-subif)# Failover LAN became OK Switchover enabled State check detected an Active mate - In the case of FTD, the secondary unit transitions to AppSync state, and the data interface transitions to DOWN state. The interfaces remain down until the unit transitions to the standby role. All the traffic through the HA pair is impacted since next-hop MAC addresses on the peer devices are still resolvable via the interfaces connected to the secondary unit. The duration of impact is directly proportional to the amount of time required to transition to the standby role. Key points: 1. If the portmanager or lacp process unexpectedly terminates, the affected unit transitions to or retains the active role, unless the steps from the Workaround section are applied. This results in a temporary split-brain scenario. 2. Even if the secondary unit is active, while the portmanager or lacp process unexpectedly terminates on the primary unit, the active unit transitions to a standby role when the process on the primary unit is restored. 3. During the transition to the standby role, the interfaces on the secondary unit become down and remain so till the transition is completed. All the traffic through the HA pair is impacted since next-hop MAC addresses on the peer devices are still resolvable via the interfaces connected to the secondary unit. Note: If the processes terminate on the initially standby primary unit, both units transition to the active role. When the processes recover and the primary unit becomes operationally ready, the secondary unit transitions to the standby role. Transit traffic may be affected.
All conditions must match: - Firepower 1000/2100 Series running FTD. - FTD in HA (ASA also susceptible) - Portmanager or lacp process may unexpectedly terminate with no apparent reason. Refer to the defect CSCwb06543.
To minimize the impact, configure active/standby IP addresses on the Management 1/1 interface, and ensure it is monitored. FTD: firepower# show nameif | grep Management Management1/1 diagnostic 0 firepower# show monitor-interface | grep host|diagnostic This host: Primary - Active Interface diagnostic (192.0.2.1): Normal (Monitored) <=== Other host: Secondary - Standby Ready Interface diagnostic (192.0.2.2): Normal (Monitored) <===
Internal-Data 0/1 interface is the backplane interface used for sending/receiving packets between the internal switch and the application, such as ASA/FTD.
Click on a version to see all relevant bugs
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
