Symptom

The following symptoms are observed on the Secure Firewall Threat Defense (FTD): 1. This error message is shown in the Deployments tab in the notification window: "Deployment failed. Correct configuration error(s) and redeploy. If deployment fails again, contact TAC". 2. The policy deployment logs /ngfw/var/sf/policy_deployment.log contains lines similar to the following: $ grep -E "Timeout|Rollback" sf/policy_deployment.log policy_apply.pl[53769]: ERROR Timeout waiting for snort detection engines to process traffic: 10a17618-15d2-11ea-bc6f-e28c3a408562 at /ngfw/var/cisco/deploy/sandbox/exporter-pkg/code/SF/UMPD/Plugins/Snort/SnortNotifications.pm line 514. (Framework 1526<1279 <- Transaction 1770 <- main 214) policy_apply.pl[15351]: Rollback new configuration 3. The file /ngfw/var/cisco/deploy/failed-sandbox.tgz/sandbox/exported-files/var/sf/detection_engines/de_uuid/memcalc_output.log does not contain the line SSL_MEMCAP: $ sudo grep SSL_MEMCAP memcalc_output.log 4. The messages file /ngfw/var/log/messages contains lines similar to the following: SF-IMS[54410]: [54410] (none):SSL_POLICY [ERROR] ssl_policy.c:1475:ssl_initialize_inspection(): ssl_initialize_inspection Unable to calculate LMDB Mapsize. SF-IMS[54410]: [54410] (none):SSL_LOGGING [ERROR] ssl_logging.c:326:ssl_logging_flush(): ssl_logging_flush: Logging module not initialized. Call ssl_logging_init() SF-IMS[54410]: [54410] (none):SFSSL_PREPROC [INFO] src/sfssl_setup.c:647:SFSSL_policy_initialize(): sftls_reload_memcap_adjust_init symbol found SF-IMS[54410]: SSLPP_PolicyInit(): Failed to initialize ssl_rules_dir and pki_dir. 5. In the case of a high availability pair or cluster, the unit can leave the cluster, or failover is triggered. 6. Approximately 7-10 minutes of traffic outage.

Conditions

The symptoms may be observed when: a) FTD with Snort 2 and TLS Server Identity Discovery is enabled in the advanced section of the access control policy (ACP) or b) All of these steps are followed: 1. FTD is initially configured with Snort3 and TLS Server Identity Discovery is not enabled. 2. The user switches from Snort 3 to Snort 2 and deploys policies. 3 The user enabled TLS Server Identity Discovery and deploy policies with Snort2.

Workaround

Two workaround options are possible: a) Preferred workaround: 1. With Snort 2 as the running engine, create an empty SSL policy with the default action "Do not Decrypt". 2. Associate the SSL policy with the ACP, ensure TLS Server Identity Discovery is enabled, then deploy policies. b) If the TLS Server Identity Discovery feature is not needed, disable it in the Advanced section of the ACP and deploy policies.

Further Problem Description