Cisco Bug: CSCvu38795 - FTD firewall unit cannot join the cluster after a traceback due to invalid interface GOID entry
Oct 05, 2020
- Cisco ASA 5500-X Series Firewalls
Known Affected Releases
Symptom: In rare cases after a firewall traceback the unit that crashed cannot join back the cluster: firepower# cluster enable Detected Cluster Master. Beginning configuration replication from Master. WARNING: Local user database is empty and there are still 'aaa' commands for 'LOCAL'. .. Cryptochecksum (unchanged): 978cdf7a b61b156a 30f57549 42437c19 Abort configuration replication from Master. Cluster disable is performing cleanup..done. All data interfaces have been shutdown due to clustering being disabled. To recover either enable clustering or remove cluster group configuration. The show cluster history shows: firepower# show cluster history | i CLI DISABLED ELECTION Enabled from CLI SLAVE_CONFIG DISABLED Disabled from CLI To verify the root cause check the following: firepower# show cluster info goid interface Additional verification on the Master unit: firepower# show cluster info goid interface goid : 0x1201831 pinned: No object: 0x0000000000000000 <--- key : String: single_vf String: INSIDE or: firepower# debug propagate-link-state 255 Related messages Master unit-1-1: cluster_send_lsp_info_internal Failed to sync LSP state to unit 0 Slave unit-2-1: cluster_rpc_lsp: Unable to find inline pair interfaces idb1=0x0000000000000000 idb2=0x00002b2fedd742a0 cluster_rpc_lsp: Unable to find inline pair interfaces idb1=0x0000000000000000 idb2=0x00002b2fedd742a0 Conditions: There is a policy deployment on the firewall that involves an interface configuration modification and the firewall (Master) has a traceback during the configuration replication.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases