Software Advisory: Inoperable FTD Device/NetFlow Exporter after Reboot (CSCvv69991)
Dear Cisco Customer,
Cisco engineering has identified the following issue. Review this notice to determine if the issue applies to your environment.
| Software Type |
Software Affected |
Software Solution |
| Cisco Firepower Threat Defense software |
Version 6.6.1-90 |
Either: · Version 6.6.1-91, if you have not yet upgraded. · Hotfix 6.6.1-A, if you already upgraded. |
Reason for Advisory
Cisco Firepower Version 6.6.1-90 was removed from the Cisco Support & Download site on 2020-09-16, due to the following issue:
CSCvv69991: FTD stuck in Maintenance Mode after upgrade to 6.6.1
It is replaced by Version 6.6.1-91.
Affected Platforms
This issue affects:
· FTD devices upgrading to Version 6.6.1-90, where you have already configured the device as a NetFlow exporter.
· FTD devices running Version 6.6.1-90, where you plan to configure the device as a NetFlow exporter.
Note You must use FlexConfig to configure this feature: flow-export destination.
Although this issue is restricted to FTD devices, to maintain version consistency we replaced Version 6.6.1 for all Firepower platforms.
Symptoms
On an FTD device configured for NetFlow, rebooting the device renders it inoperable—it does not pass network traffic, and any HA/clustering functionality is suspended/disabled. In FDM deployments where you are using data interfaces for management, you cannot access the device that way.
However, the device is still accessible via console or the device management IP address. In FMC deployments, the device is still communicating with the FMC.
The pmtool status command confirms that the device’s traffic handling capability is down:
1. Access the Firepower CLI on the device. Log in as admin or another Firepower CLI user with configuration access.
In FDM deployments where you are using data interfaces for management, you will probably need to use the console to log in. In that scenario, some devices default to the operating system CLI, and require an extra step to access the Firepower CLI:
· Firepower 1000/2100 series: connect ftd
· Firepower 4100/9300 chassis: connect module slot_number console, then connect ftd (first login only)
2. At the Firepower CLI prompt, use the expert command to access the Linux shell.
3. Use the pmtool status command, entering your password when prompted:
sudo pmtool status | grep “ – Down”
If you are affected, you will see output similar to the following:
ngfwManager (normal) - Down
ASAConfig (normal) - Down
ftw_monitor (normal) - Down
<UUID> (de,snort) - Down
<UUID> (de,snort) – Down
Conditions
Reboot a Version 6.6.1-90 FTD device for any reason while the device is configured for NetFlow. This includes the Version 6.6.1-90 post-upgrade reboot.
Workaround Options
Already experiencing failure
If you are already experiencing this issue, contact Cisco TAC.
Running Version 6.2.3 through Version 6.6.0
If you have not yet upgraded to Version 6.6.1, use Version 6.6.1-91. If you already downloaded Version 6.6.1-90, do not use it.
Running Version 6.6.1-90 on an FTD device
If you already successfully upgraded FTD to Version 6.6.1-90, do not configure NetFlow until you apply Hotfix A. This advisory will be updated with links to the hotfix once it becomes available.
Note If you never configure your device for NetFlow, you will not experience this issue. However, we recommend you apply the hotfix as a precautionary measure.
Running Version 6.6.1-90 on any other platform
It is safe to continue running Version 6.6.1-90 on all FMCs, ASA FirePOWER modules, and NGIPSv.