Guest

Preview Tool

Cisco Bug: CSCvu60011 - FTD: Snort policy changes deployed to a HA on failed state are not fully synced

Last Modified

Sep 17, 2020

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.13(1) 9.14(1.1)

Description (partial)

Symptom:
Configuration changes deployed from FMC to a pair of FTD devices running in HA, with one of the units on Failed state (for instance of a monitored interface is down) will not fully sync from Active to Standby, causing the units to have mismatched snort configurations between them.

For instance, if an Access Policy rule change is performed, FTD/LINA "show access-list" command on both units may display that the config between them is sync'ed, but checking the snort policies under "ngfw.rules" file will show a mismatch on their configs.

Configuration mismatch will still persist even if the event that caused one of the units to be in Failed state recovers and is displayed back on "Standby Ready" state.

Conditions:
Pushing a deployment change to a pair of FTD devices while one of the units is on HA failed state.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.