Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
- FMC policy deployment transcript will contain FTD1_lab2 >> [error] : ERROR: % class-map flow_export_class not configured Config Error -- class flow_export_class - Any indication of reordering of flexconfig objects within a flexconfig policy as witnessed by either FMC transcript or the preview from the flexconfig policy page.
- FMC 7.2.2 - FTD 7.2.2 - Applying Netflow FlexConfig in accordance with CSCwa04058 - FMC re-ordering the FlexConfig policy
Step 1: Separate the Netflow_Add_Destination object into 2 different objects, as follow: - The first flexconfig object, say Netflow_Destination_FlexObject, should only contain the following lines and should be deployed once: ## destination: interface_nameif destination_ip udp_port flow-export destination $netflow_Destination.get(0) $netflow_Destination.get(1) $netflow_Destination.get(2) - Then create a new flexconfig object for Netflow_Event_FlexObject, this one will have the rest of that config and the class-map config: Deployment: 'Everytime' and Type: 'Append'. ## event-types: any subset of {all, flow-create, flow-denied, flow-teardown, flow-update} class-map flow_export_class match access-list $flow_export_acl policy-map global_policy class flow_export_class #foreach ( $event_type in $netflow_Event_Types ) flow-export event-type $event_type destination $netflow_Destination.get(1) #end NOTE: Step 3 mentioned in https://www.cisco.com/c/en/us/support/docs/quality-of-service-qos/netflow/216126-configure-netflow-secure-event-logging-o.html should be pushed alongwith the "Netflow_Event_FlexObject" flexconfig object created above to remove the dependancy between 2 different flexconfig objects. Step 2: Deploy the flexconfig policy with "Netflow_Destination_FlexObject" initially. Step 3: Now assign "Netflow_Event_FlexObject" and deploy the changes. Every successive deployment should pass now without any configs removed.
- Given that the class-map flow_export_class is out of order: ###Flex-config Appended CLI ### policy-map global_policy class flow_export_class flow-export event-type all destination 192.0.2.102 flow-export event-type flow-create destination 192.0.2.102 flow-export event-type flow-denied destination 192.0.2.102 flow-export event-type flow-teardown destination 192.0.2.102 flow-export event-type flow-update destination 192.0.2.102 class-map flow_export_class <<<<< This should be located above the policy-map line match access-list netflow - The result is a failed deployment with the following transcript error: FMC >> clear session FMC_SESSION_1 access FTD1_lab2 >> [info] : WARNING: This might result in parallel access to session FMC_SESSION_1. FMC >> configure session FMC_SESSION_1 FMC >> abort FMC >> no strong-encryption-disable FMC >> vpn-addr-assign local FMC >> policy-map global_policy FMC >> no class flow_export_class FMC >> class class-default FMC >> exit FMC >> no class-map flow_export_class <<<<< This is "normal" FMC >> no dp-tcp-proxy FMC >> policy-map global_policy <<<<< We're trying to edit the policy-map for the class before its created FMC >> class flow_export_class FTD1_lab2 >> [error] : ERROR: % class-map flow_export_class not configured Config Error -- class flow_export_class - The Order SHOULD be as follows: ###Flex-config Appended CLI ### class-map flow_export_class <<<<< This should be located above the policy-map line match access-list netflow policy-map global_policy class flow_export_class flow-export event-type all destination 192.0.2.102 flow-export event-type flow-create destination 192.0.2.102 flow-export event-type flow-denied destination 192.0.2.102 flow-export event-type flow-teardown destination 192.0.2.102 flow-export event-type flow-update destination 192.0.2.102