Loading...
Loading...
FTD Code changes for optimization/improvement of LSP package verification logic to allow it to run faster than presently. LSP package verification is performed during HA Config Sync stage between units in Failover, and with a timeout set to one minute, that causes a joining HA unit to fail in case the timeout is hit. Example of error seen when this condition is met: In the failover history messages like the following can be seen: 15:48:34 CET Dec 23 2023 App Sync Disabled CD App Sync error is Failure in Standby/Sl*ve. Check app-sync-history CLI for details On the unit that it is added to the HA pair and gets stuck messages like the following can be seen: > show app-sync-history ================================APP SYNC HISTORY================================ -------------------------------------------------------------------------------- App Sync Time: 13:47:10 UTC Jul 11 2023 Role: Standby Unit App Sync Status: FAILURE Failed Phase: StandbyAppConfigSignal Failure Reason: DeploymentException:Process Manager failed to secure LSP APPLY_APP_CONFIG_APPLICATION_FAILURE SignalAppConfigFailed: Please refer policy_deployment.log file for more details; In the FTD /ngfw/var/log/ngfwManager.log this message is seen: Dec 23 14:48:31 ccm[7260] CDExec-Th-1: ERROR com.cisco.ngfw.cd.phases.AppConfigSignal- SIGNAL App Config Failure: Please refer policy_deployment.log file for more details; In /ngfw/var/log/sf/policy_deployment.log these messages are seen: Dec 23 15:47:18 FW-DMZ2001 policy_apply.pl[14637]: INFO START securing LSP on install. lsp-rel-20231220-1501 (Snort::SnortUtil 282 <- LSP::Device 214 <- Plugin 235) Dec 23 15:48:19 FW-DMZ2001 policy_apply.pl[14637]: Error returned 1 Dec 23 15:48:19 FW-DMZ2001 policy_apply.pl[14637]: Dec 23 15:48:19 FW-DMZ2001 policy_apply.pl[14637]: Not all lsp files are in the icdb. Can't continue signature verification. Dec 23 15:48:19 FW-DMZ2001 policy_apply.pl[14637]: 1 Dec 23 15:48:19 FW-DMZ2001 policy_apply.pl[14637]: ERROR Process Manager failed to verify LSP ICDB (Snort::SnortUtil 290 <- LSP::Device 214 <- Plugin 235) Dec 23 15:48:19 FW-DMZ2001 policy_apply.pl[14637]: ERROR ERROR: Process Manager failed to secure LSP (/ngfw/var/cisco/deploy/sandbox/exporter-pkg/code/SF/UMPD/Plugins/Snort/SnortUtil.pm line 291) (Framework 1590<1348 <- Transaction 1772 <- main 214) The code optimization introduced by this defect is meant to has a faster LSP verification process, therefore avoiding the HA Sync failure caused by the LSP verification timeout.
Applicable for FTD sensors running in HA and running snort3.
Try to re-deploying the HA/Policy. The re-deploy may be successful if the problem causing the verification time out may be transient and the redeploy will be successful. If the re-deploy is not successful, have TAC look for processes that are consuming too much of the CPU. Run the 'top -d 1' command from the expert mode shell to see if any processes (other than Lina & Snort) are consuming too many CPU cycles on a continuous basis.
none
Click on a version to see all relevant bugs
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.