OPERATIONAL DEFECT DATABASE
...
...
- For a given flexconfig deployment after an initial successful deployment the objects will be ordered differently in the FMC transcript than they appear in the GUI. This occurs predominantly with an object containing the command 'class-map'
- Found with FMC on 7.2.x - Flexconfig policies are utilized - Issue witnessed with an object that only contained 'class-map flow_export_class' - Thus this issue is most likely to be seen when configuring Netflow, though other configurations could be affected.
- Move whatever objects that are getting re-ordered into a single object in the flexconfig policy to prevent them from being incorrectly ordered in code. - For example see CSCwf99848
- Given that the class-map flow_export_class is out of order: ###Flex-config Appended CLI ### policy-map global_policy class flow_export_class flow-export event-type all destination 192.0.2.102 flow-export event-type flow-create destination 192.0.2.102 flow-export event-type flow-denied destination 192.0.2.102 flow-export event-type flow-teardown destination 192.0.2.102 flow-export event-type flow-update destination 192.0.2.102 class-map flow_export_class <<<<< This should be located above the policy-map line match access-list netflow - The result is a failed deployment with the following transcript error: FMC >> clear session FMC_SESSION_1 access FTD1_lab2 >> [info] : WARNING: This might result in parallel access to session FMC_SESSION_1. FMC >> configure session FMC_SESSION_1 FMC >> abort FMC >> no strong-encryption-disable FMC >> vpn-addr-assign local FMC >> policy-map global_policy FMC >> no class flow_export_class FMC >> class class-default FMC >> exit FMC >> no class-map flow_export_class <<<<< This is "normal" FMC >> no dp-tcp-proxy FMC >> policy-map global_policy <<<<< We're trying to edit the policy-map for the class before its created FMC >> class flow_export_class FTD1_lab2 >> [error] : ERROR: % class-map flow_export_class not configured Config Error -- class flow_export_class - The Order SHOULD be as follows: ###Flex-config Appended CLI ### class-map flow_export_class <<<<< This should be located above the policy-map line match access-list netflow policy-map global_policy class flow_export_class flow-export event-type all destination 192.0.2.102 flow-export event-type flow-create destination 192.0.2.102 flow-export event-type flow-denied destination 192.0.2.102 flow-export event-type flow-teardown destination 192.0.2.102 flow-export event-type flow-update destination 192.0.2.102
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
