Guest

Preview Tool

Cisco Bug: CSCvv69991 - FTD stuck in Maintenance Mode after upgrade to 6.6.1

Last Modified

Oct 27, 2020

Products (1)

  • Cisco Adaptive Security Appliance (ASA) Software

Known Affected Releases

9.14(1.100) 9.15(0.12)

Description (partial)

Symptom:
On a FTD device configured as a NetFlow exporter, rebooting the device renders it inoperable, it does not pass network traffic, and any HA/clustering functionality is suspended/disabled. In FDM deployments where you are using data interfaces for management, you cannot access the device that way.
 
However, the device is still accessible via console or the device management IP address. In FMC deployments, the device is still communicating with the FMC.
 
The pmtool status command confirms that the device traffic handling capability is down:
 
1. Access the Firepower CLI on the device. Log in as admin or another Firepower CLI user with configuration access.
 
In FDM deployments where you are using data interfaces for management, you will probably need to use the console to log in. In that scenario, some devices default to the operating system CLI, and require an extra step to access the Firepower CLI:
Firepower 1000/2100 series: connect ftd
Firepower 4100/9300 chassis: connect module slot_number console, then connect ftd (first login only)
 
2. At the Firepower CLI prompt, use the expert command to access the Linux shell.
 
3. Use the pmtool status command, entering your password when prompted:
sudo pmtool status | grep " - Down"
 
If you are affected, you will see output similar to the following:
 
ngfwManager (normal) - Down
ASAConfig (normal) - Down
ftw_monitor (normal) - Down
<UUID> (de,snort) - Down
<UUID> (de,snort)  Down

Conditions:
Reboot a Version 6.6.1-90 FTD device for any reason while the device is configured as a NetFlow exporter. This includes the Version 6.6.1-90 post-upgrade reboot.

This issue affects:
FTD devices upgrading to Version 6.6.1-90, where you have already configured the device for NetFlow.
FTD devices running Version 6.6.1-90, where you plan to configure the device for NetFlow.
 
Note   You must use FlexConfig to configure this feature: flow-export destination.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.