Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
FTD Code changes for optimization/improvement of LSP package verification logic to allow it to run faster than presently. LSP package verification is performed during HA Config Sync stage between units in Failover, and with a timeout set to one minute, that causes a joining HA unit to fail in case the timeout is hit. Example of error seen when this condition is met: In the failover history messages like the following can be seen: 15:48:34 CET Dec 23 2023 App Sync Disabled CD App Sync error is Failure in Standby/Sl*ve. Check app-sync-history CLI for details On the unit that it is added to the HA pair and gets stuck messages like the following can be seen: > show app-sync-history ================================APP SYNC HISTORY================================ -------------------------------------------------------------------------------- App Sync Time: 13:47:10 UTC Jul 11 2023 Role: Standby Unit App Sync Status: FAILURE Failed Phase: StandbyAppConfigSignal Failure Reason: DeploymentException:Process Manager failed to secure LSP APPLY_APP_CONFIG_APPLICATION_FAILURE SignalAppConfigFailed: Please refer policy_deployment.log file for more details; In the FTD /ngfw/var/log/ngfwManager.log this message is seen: Dec 23 14:48:31 ccm[7260] CDExec-Th-1: ERROR com.cisco.ngfw.cd.phases.AppConfigSignal- SIGNAL App Config Failure: Please refer policy_deployment.log file for more details; In /ngfw/var/log/sf/policy_deployment.log these messages are seen: Dec 23 15:47:18 FW-DMZ2001 policy_apply.pl[14637]: INFO START securing LSP on install. lsp-rel-20231220-1501 (Snort::SnortUtil 282 <- LSP::Device 214 <- Plugin 235) Dec 23 15:48:19 FW-DMZ2001 policy_apply.pl[14637]: Error returned 1 Dec 23 15:48:19 FW-DMZ2001 policy_apply.pl[14637]: Dec 23 15:48:19 FW-DMZ2001 policy_apply.pl[14637]: Not all lsp files are in the icdb. Can't continue signature verification. Dec 23 15:48:19 FW-DMZ2001 policy_apply.pl[14637]: 1 Dec 23 15:48:19 FW-DMZ2001 policy_apply.pl[14637]: ERROR Process Manager failed to verify LSP ICDB (Snort::SnortUtil 290 <- LSP::Device 214 <- Plugin 235) Dec 23 15:48:19 FW-DMZ2001 policy_apply.pl[14637]: ERROR ERROR: Process Manager failed to secure LSP (/ngfw/var/cisco/deploy/sandbox/exporter-pkg/code/SF/UMPD/Plugins/Snort/SnortUtil.pm line 291) (Framework 1590<1348 <- Transaction 1772 <- main 214) The code optimization introduced by this defect is meant to has a faster LSP verification process, therefore avoiding the HA Sync failure caused by the LSP verification timeout.
Applicable for FTD sensors running in HA and running snort3.
Try to re-deploying the HA/Policy. The re-deploy may be successful if the problem causing the verification time out may be transient and the redeploy will be successful. If the re-deploy is not successful, have TAC look for processes that are consuming too much of the CPU. Run the 'top -d 1' command from the expert mode shell to see if any processes (other than Lina & Snort) are consuming too many CPU cycles on a continuous basis.
none