Loading...
Loading...
- FMC policy deployment transcript will contain FTD1_lab2 >> [error] : ERROR: % class-map flow_export_class not configured Config Error -- class flow_export_class - Any indication of reordering of flexconfig objects within a flexconfig policy as witnessed by either FMC transcript or the preview from the flexconfig policy page.
- FMC 7.2.2 - FTD 7.2.2 - Applying Netflow FlexConfig in accordance with CSCwa04058 - FMC re-ordering the FlexConfig policy
Step 1: Separate the Netflow_Add_Destination object into 2 different objects, as follow: - The first flexconfig object, say Netflow_Destination_FlexObject, should only contain the following lines and should be deployed once: ## destination: interface_nameif destination_ip udp_port flow-export destination $netflow_Destination.get(0) $netflow_Destination.get(1) $netflow_Destination.get(2) - Then create a new flexconfig object for Netflow_Event_FlexObject, this one will have the rest of that config and the class-map config: Deployment: 'Everytime' and Type: 'Append'. ## event-types: any subset of {all, flow-create, flow-denied, flow-teardown, flow-update} class-map flow_export_class match access-list $flow_export_acl policy-map global_policy class flow_export_class #foreach ( $event_type in $netflow_Event_Types ) flow-export event-type $event_type destination $netflow_Destination.get(1) #end NOTE: Step 3 mentioned in https://www.cisco.com/c/en/us/support/docs/quality-of-service-qos/netflow/216126-configure-netflow-secure-event-logging-o.html should be pushed alongwith the "Netflow_Event_FlexObject" flexconfig object created above to remove the dependancy between 2 different flexconfig objects. Step 2: Deploy the flexconfig policy with "Netflow_Destination_FlexObject" initially. Step 3: Now assign "Netflow_Event_FlexObject" and deploy the changes. Every successive deployment should pass now without any configs removed.
- Given that the class-map flow_export_class is out of order: ###Flex-config Appended CLI ### policy-map global_policy class flow_export_class flow-export event-type all destination 192.0.2.102 flow-export event-type flow-create destination 192.0.2.102 flow-export event-type flow-denied destination 192.0.2.102 flow-export event-type flow-teardown destination 192.0.2.102 flow-export event-type flow-update destination 192.0.2.102 class-map flow_export_class <<<<< This should be located above the policy-map line match access-list netflow - The result is a failed deployment with the following transcript error: FMC >> clear session FMC_SESSION_1 access FTD1_lab2 >> [info] : WARNING: This might result in parallel access to session FMC_SESSION_1. FMC >> configure session FMC_SESSION_1 FMC >> abort FMC >> no strong-encryption-disable FMC >> vpn-addr-assign local FMC >> policy-map global_policy FMC >> no class flow_export_class FMC >> class class-default FMC >> exit FMC >> no class-map flow_export_class <<<<< This is "normal" FMC >> no dp-tcp-proxy FMC >> policy-map global_policy <<<<< We're trying to edit the policy-map for the class before its created FMC >> class flow_export_class FTD1_lab2 >> [error] : ERROR: % class-map flow_export_class not configured Config Error -- class flow_export_class - The Order SHOULD be as follows: ###Flex-config Appended CLI ### class-map flow_export_class <<<<< This should be located above the policy-map line match access-list netflow policy-map global_policy class flow_export_class flow-export event-type all destination 192.0.2.102 flow-export event-type flow-create destination 192.0.2.102 flow-export event-type flow-denied destination 192.0.2.102 flow-export event-type flow-teardown destination 192.0.2.102 flow-export event-type flow-update destination 192.0.2.102
Click on a version to see all relevant bugs
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.