Guest

Preview Tool

Cisco Bug: CSCvv66942 - Failover may not be triggered when more than 50% of Snort instances are down

Last Modified

Oct 14, 2020

Products (1)

  • Cisco Firepower Management Center Virtual Appliance

Known Affected Releases

6.4.0.8

Description (partial)

Symptom:
In some cases when more than 50% of the Snort instances on the active unit are down due to missing dependent system configuration files or shared libraries, failover is not triggered in a Firepower high availability (HA) pair.

The status of Snort instances and the failover can be checked as following on the Firepower Threat Defense (FTD) command-line interface (CLISH):

> show asp inspect-dp snort


SNORT Inspect Instance Status Info

Id Pid       Cpu-Usage    Conns      Segs/Pkts  Status
          tot (usr | sys)                         
-- ----- ---------------- ---------- ---------- ----------
0  12812   0% (  0%|  0%)   0          0        DEAD <---------more than 50% of Snort instances  have the DEAD status.
1  12809   0% (  0%|  0%)   0          0        DEAD
2  12817   0% (  0%|  0%)   0          0        DEAD
3  12813   0% (  0%|  0%)   0          0        DEAD
4  12814   0% (  0%|  0%)   0          0        DEAD
...
43 12850   0% (  0%|  0%)   0          0        DEAD
44 12820   0% (  0%|  0%)   0          0        DEAD
45 12819   0% (  0%|  0%)   0          0        DEAD
46 12811   0% (  0%|  0%)   0          0        DEAD
47 12810   0% (  0%|  0%)   0          0        DEAD

> show failover state

               State          Last Failure Reason      Date/Time
This host  -   Primary
               Active         None <------------------This unit is still active in HA
Other host -   Secondary
               Standby Ready  Comm Failure


Firepower-module1# show failover 
Failover On 
Failover unit Primary
Failover LAN Interface: fover Port-channel1 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 1 of 1041 maximum
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.12(2)18, Mate 9.12(2)18
Serial Number: Ours ABCD1234, Mate ABCD1234
Last Failover at: 10:28:21 UTC Sep 9 2020
        This host: Primary - Active  <------------------This unit is still active in HA
                Active time: 45271 (sec)
                slot 0: UCSB-B200-M3-U hw/sw rev (0.0/9.12(2)18) status (Up Sys)
                  Interface inside (192.0.2.1): Normal (Monitored)
                  Interface diagnostic (0.0.0.0): Normal (Not-Monitored)
                slot 1: snort rev (1.0)  status (up) <---------------------------------------------------Snort is shown as up
                slot 2: diskstatus rev (1.0)  status (up)
        Other host: Secondary - Standby Ready  <------------------Peer unit is still standby in HA
                Active time: 0 (sec)
                slot 0: UCSB-B200-M3-U hw/sw rev (0.0/9.12(2)18) status (Up Sys)
                  Interface inside (192.0.2.2): Normal (Monitored)
                  Interface diagnostic (0.0.0.0): Normal (Not-Monitored)
                slot 1: snort rev (1.0)  status (up)
                slot 2: diskstatus rev (1.0)  status (up)

Conditions:
All of the following conditions must match:

1. ASA or Firepower appliances running FTD application in HA.
2. More than 50% of the Snort instances on the active unit are down due to missing dependent system configuration files or shared libraries.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.