Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
Policy deployment from a Firepower Management Center (FMC) to a Firepower Threat Defense (FTD) managed device may occasionally fail during the later stages of the deployment that occur on the FTD. On the FMC UI, in the Transcript Details for the failed deployment job, the following messages will appear in order at the end of the "SNORT APPLY" section (timestamps removed in this example): --- Starting Export for NGFWPolicy Can't use an undefined value as a HASH reference --- On the FTD on which the deployment failed, the following messages will appear in the /var/log/sf/policy_deployment.log file (timestamps and host name removed in this example; PID will be different for each deployment): --- policy_apply.pl[]: INFO write zones.conf (NGFWPolicy::Device 151 <- Plugin 235 <- Framework 773) policy_apply.pl[]: INFO write interface-groups.conf (NGFWPolicy::Device 154 <- Plugin 235 <- Framework 773) policy_apply.pl[]: ERROR ERROR: Can't use an undefined value as a HASH reference (/ngfw/var/cisco/deploy/pkg/var/cisco/packages/exporter-6.7.0.3-105/code/SF/UMPD/Plugins/NGFWPolicy/Device.pm line 515) (Framework 1417<786 <- Transaction 1105 <- main 194) policy_apply.pl[]: ERROR === begin stacktrace === (Framework 1420<786 <- Transaction 1105 <- main 194) policy_apply.pl[]: ERROR Can't use an undefined value as a HASH reference at /ngfw/usr/lib64/perl/site_perl/5.24.4/Error.pm line 273. (Framework 1422<786 <- Transaction 1105 <- main 194) policy_apply.pl[]: ERROR Error::subs::run_clauses({...}, "Can't use an undefined value as a HASH reference at /ngfw/var"..., undef, [...]) called at /ngfw/usr/lib64/perl/site_perl/5.24.4/Error.pm line 390 policy_apply.pl[]: ERROR Error::subs::try(CODE(0x556491781428), {...}) called at /ngfw/var/cisco/deploy/sandbox/exporter-pkg/code/SF/UMPD/Framework.pm line 798 policy_apply.pl[]: ERROR SF::UMPD::Framework::exportDeviceSnapshotToSandbox("/var/cisco/deploy/sandbox/policy_deployment.db", "/var/cisco/deploy/sandbox") called at /ngfw/var/cisco/deploy/sandbox/exporter-pkg/code/SF/UMPD/Transaction.pm line 1105 policy_apply.pl[]: ERROR SF::UMPD::Transaction::prepare("/var/cisco/deploy/sandbox") called at /ngfw/usr/local/sf/bin/policy_apply.pl line 194 policy_apply.pl[]: ERROR === end stacktrace === (Framework 1424<786 <- Transaction 1105 <- main 194) ---
Deployment from the FMC to multiple FTD managed devices at the same time. The use of a passive security zone on at least one of the managed devices in the deployment job.
For the device(s) to which deployment failed, attempt the deployment again from the FMC to just one device at a time.
When routinely performing simultaneous deployments to multiple FTDs -- such as a deployment to all devices immediately following rule update (SRU/LSP) imports -- the deployment failures may not (and commonly will not) occur on the same device(s) with every such deployment job, and it is expected that no single device will experience a deployment failure with every deployment job.