Cisco Firepower 6.7 Crash Issue - management-access inside & snmp-server host inside
Published:
Browse All Articles > Cisco Firepower 6.7 Crash Issue - management-access inside & snmp-server host inside
After upgrading Cisco FTD to 6.7.0-65, deployments via FMC do not complete and cause a crash.
Recently, Cisco released version 6.7 for its Firepower platform. It offers some great features that many customers are anxious to use, but it also comes with a significant bug for some.
Recently I experienced this bug and also was lucky enough to get the right TAC engineer on the line that was able to figure out a way to fix it.
This particular bug is experienced when the device is configured in a specific way. The combination of the Flex-config configured command "management-access inside" as well as 'snmp-server host inside". It could be a different interface, but both commands would reference the same interface. That combination will cause a crash when any change is made afterwards, which makes deploying impossible and reboots the FTD device.
Here's how to fix this.
!!!!! NOTE - THIS IS A DANGEROUS METHOD AND SHOULD ONLY BE USED WITH TAC ASSISTANCE. THIS METHOD IS A LAST RESORT AND COULD CAUSE MORE ISSUES THAN THE BUG ITSELF. ALSO, I WOULD EXPECT THAT THIS ISSUE IS RESOLVED EARLY IN 2021 (ISSUE IS SPECIFIC TO 6.7.0-65 TO MY KNOWLEDGE), SO HOPEFULLY THIS METHOD IS ONLY USEFUL/NEEDED FOR A MONTH OR TWO.
To start, make sure you read the warning above. Maybe read it twice :)
In the FMC, change the Platform Settings for the device and make sure to remove all SNMP configuration. In the Flex Config policies, remove the policy that applies the 'management-access inside' command. You won't be able to deploy yet, but we need to make sure that the commands are not re-deployed later.
SSH to the FTD device. Go to expert mode, then use 'sudo su' to gain root privileges. From there we will run a command to edit the LINA startup file directly. Delete the config lines for snmp-server as well as 'management-access inside'. Save the configuration, and reboot the device.
Once the reboot has completed, the snmp-server and management-access commands will no longer exist. You should be able to successfully deploy via FMC. You could attempt some other means of monitoring via SNMP, or perhaps employ some patience and wait for the fix to this bug to be released.
Recently I experienced this bug and also was lucky enough to get the right TAC engineer on the line that was able to figure out a way to fix it.
This particular bug is experienced when the device is configured in a specific way. The combination of the Flex-config configured command "management-access inside" as well as 'snmp-server host inside". It could be a different interface, but both commands would reference the same interface. That combination will cause a crash when any change is made afterwards, which makes deploying impossible and reboots the FTD device.
Here's how to fix this.
!!!!! NOTE - THIS IS A DANGEROUS METHOD AND SHOULD ONLY BE USED WITH TAC ASSISTANCE. THIS METHOD IS A LAST RESORT AND COULD CAUSE MORE ISSUES THAN THE BUG ITSELF. ALSO, I WOULD EXPECT THAT THIS ISSUE IS RESOLVED EARLY IN 2021 (ISSUE IS SPECIFIC TO 6.7.0-65 TO MY KNOWLEDGE), SO HOPEFULLY THIS METHOD IS ONLY USEFUL/NEEDED FOR A MONTH OR TWO.
To start, make sure you read the warning above. Maybe read it twice :)
In the FMC, change the Platform Settings for the device and make sure to remove all SNMP configuration. In the Flex Config policies, remove the policy that applies the 'management-access inside' command. You won't be able to deploy yet, but we need to make sure that the commands are not re-deployed later.
SSH to the FTD device. Go to expert mode, then use 'sudo su' to gain root privileges. From there we will run a command to edit the LINA startup file directly. Delete the config lines for snmp-server as well as 'management-access inside'. Save the configuration, and reboot the device.
Last login: Sat Dec 12 05:32:36 UTC 2020 from 192.168.x.x on ssh
Successful login attempts for user 'admin' : 7
Copyright 2004-2020, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.
Cisco Fire Linux OS v6.7.0 (build 62)
Cisco Firepower 1010 Threat Defense v6.7.0 (build 65)
expert
> expert
admin@FTD:~$ sudo su
Password:
root@FTD:/home/admin# vim /mnt/disk0/.private/startup-config
[startup-config will be brought up in the vim editor. Find the snmp-server config lines and delete them. Find the management-access config line and delete it. Save changes by typing :wq! ]
root@FTD:/home/admin# rebootOnce the reboot has completed, the snmp-server and management-access commands will no longer exist. You should be able to successfully deploy via FMC. You could attempt some other means of monitoring via SNMP, or perhaps employ some patience and wait for the fix to this bug to be released.
Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.
Comments (0)