Cisco Bug: CSCvu60011 - FTD: Snort policy changes deployed to a HA on failed state are not fully synced
Sep 17, 2020
- Cisco ASA 5500-X Series Firewalls
Known Affected Releases
Symptom: Configuration changes deployed from FMC to a pair of FTD devices running in HA, with one of the units on Failed state (for instance of a monitored interface is down) will not fully sync from Active to Standby, causing the units to have mismatched snort configurations between them. For instance, if an Access Policy rule change is performed, FTD/LINA "show access-list" command on both units may display that the config between them is sync'ed, but checking the snort policies under "ngfw.rules" file will show a mismatch on their configs. Configuration mismatch will still persist even if the event that caused one of the units to be in Failed state recovers and is displayed back on "Standby Ready" state. Conditions: Pushing a deployment change to a pair of FTD devices while one of the units is on HA failed state.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases