Guest

Preview Tool

Cisco Bug: CSCvu29508 - FMC manual removal and addition of FTD Cluster member causes dangling stale interfaces

Last Modified

Jul 15, 2020

Products (1)

  • Cisco Firepower Management Center

Known Affected Releases

6.4.0.7

Description (partial)

Symptom:
After FMC 6.3 release the Cluster member addition is handled automatically (Simplified Cluster registration process). This is described in the FMC Configuration Guide:
https://www.cisco.com/c/en/us/td/docs/security/firepower/660/configuration/guide/fpmc-config-guide-v66/clustering_for_the_firepower_threat_defense.html#id_76486

On the other hand, FMC will not prevent someone from trying to manually add/register a Cluster member. 

This can cause stale/dangling interfaces to appear on FMC for the Cluster devices which in turn can cause empty rule policy deployments (since the policy rules refer to non-existent interfaces).

On the FTD backend /ngfw/var/log/sf/policy_deployment.log messages like these are seen during the policy deployment:
May 13 22:06:31 firepower policy_apply.pl[19705]: INFO  skipping rule ACP_Rule_10 (268438812} : no zone pairs  (AccessControl::Promote 552<425<323<187 <- AccessControl::Device 1166<346 <- Plugin 235)
May 13 22:06:31 firepower policy_apply.pl[19705]: INFO  skipping rule ACP_Rule_6 (268438808} : no zone pairs  (AccessControl::Promote 552<425<323<187 <- AccessControl::Device 1166<346 <- Plugin 235)
May 13 22:06:31 firepower policy_apply.pl[19705]: INFO  skipping rule ACP_Rule_2 (268438804} : no zone pairs  (AccessControl::Promote 552<425<323<187 <- AccessControl::Device 1166<346 <- Plugin 235)
May 13 22:06:31 firepower policy_apply.pl[19705]: INFO  skipping rule ACP_Rule_4 (268438806} : no zone pairs  (AccessControl::Promote 552<425<323<187 <- AccessControl::Device 1166<346 <- Plugin 235)

Conditions:
1.       register a Cluster device with at least 1 slave. Register one more stand alone device
2.       Name interface on both and put in 1 security zone
3.       Use in AC policy
4.       Use the Named interface on Cluster in Static route .
5.       Delete Cluster
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.