Issue:
FMC and FTD were on 6.4.4, FMC upgrade to 6.6.5 no issue, after FPR1120 upgraded to 6.6.5, FMC lost FTD, user reported: "FPR 1120 not sending Heartbeats after upgrade to 6.6.5. Shows failure in UI but no details."
TS:
from FTD cli ping FMC works. in expert mode, ran "sftunnel_status.pl", show error "certificate is not valid yet", sftunnel is down, verified FMC certificate is valid from 2019 to 2025, check FTD time using Linux command "date", shows current time is 2015, also check hardware time using "hwclock -r", shows year 2015 too, ran the command "date -s "18 OCT 2021 18:00:00" to set the UTC time. ran "sftunnel.status.pl" showing sfttunel up, FMC shows devices green.
==================
Error:
active peer already exists
Reason:
A device can be un-cleanly de-registered and still exists in the database
Fix:
/usr/local/sf/bin/remove_peer.pl "IP or NAME or UUID" FORCE
====
Error:
deployment stuck in GUI, but may actually deployed.
TS:
Verify if rules actually deployed:
FTD LINA engine: A global ACL named as CSM_FW_ACL_
FTD Snort engine: Access Control (AC) rules in the /var/sf/detection_engines/UUID/ngfw.rules
Use the following command in expert mode to delete the stucked notification.
OmniQuery.pl -db mdb -e "select status,category,hex(uuid),body from notification;" | grep "\ 7\ "
or OmniQuery.pl -db mdb -e "select status,category,hex(uuid),body from notification where status=7;"
OmniQuery.pl -db mdb -e 'delete from notification where uuid=unhex("AB2E4574EBB9349A90ECE4EC2520AEB8");'
Another case:
OmniQuery.pl -db mdb -e "select
count(device_status),device_status from jobs_device_status group by
device_status;"
Based on the output, it was confirmed that the deployment was still stuck.
To resolve this, I provided the following command to clear the stuck deployment status:
OmniQuery.pl -db sdb -e "update jobs_device_status set device_status='FAILED' where device_status='PARTIALLY_SUCCEEDED';"
====
For https traffic, the SNI extension in client hello has URL info.
No log event in FMC
In a
production environment, if you run into a situation where events are not
appearing, the first thing you should check is the time synchronization between
the NGFW and FMC. or likely to be an issue with
the eventing processes. If this happens, try restarting these processes as
follows.
On the
NGFW CLI run the following command.
Pmtool
restartbytype EventProcessor
From the
Jumper desktop, connect to the FMC
using the pre-defined PuTTY session. Login as admin/C1sco12345 and run the following commands.
Sudo pmtool restartbyid SFDataCorrelator
sudo pmtool restartbyid sftunnel
Comments
Post a Comment