Cisco FTD Device Platform settings issues…

Are you running Cisco Firepower Threat Defense (FTD) and having issues when you deploy your Device Platform settings? You are not alone, and no, you are not crazy! The platform settings can make the entire FTD box stop passing ALL traffic, even if it is configured correctly!! Yikes!!

Yes, there are some undocumented issues with the Cisco FTD platform settings, and it’s possible that you are experiencing issues that I have not seen and vice versa, but here is the most common problem I have:

First, the reason you need the platform setting  on your FTD device is to configure items such as ICMP (see my ICMP blog), packet segmentation, NTP server, SNMP, Email and Syslog, SMTP, along with a few other things.

What I have found is difficult to diagnose. If your platform policy doesn’t work, your FMC will tell you nothing…no events, no alerts, nothing. It was ¬†pretty hard to find this issue…however, I did get the issue resolved after removing the Syslog external server settings and leaving the internal server settings and now traffic started flowing inside/outside again…that could be the issue or that could be just one issue at work here…not sure yet…

So, if your FTD box just stops working (stops passing all traffic!), and their are no events on the console or FMC, then remove your Platform policy from Devices>Platform Settings, redeploy and that should solve your issue…

Crazy!

Todd Lammle

5 Comments

  1. Hi Todd

    Thanks for your note, we faced the same problem on a customer, resulting for the whole site to be isolated… I can confirm 100% that the configuration of syslog settings made all the traffic dropped.
    It took hours to find out that the problem was related with syslog configuration, Cisco TAC engineer was not aware of this bug and we have to find it by ourselves…

    FTD is still not ready for production environment, I am – again- very disapointed with the quality of Cisco code

    1. yes, the platform issue was horrible and I had to deal with it myself, with no help or acknowledgement of the issue from Cisco. However, with all that said, the 6.2.3 code seemed to have fixed it, even though they never listed it as a problem to begin with.
      All of the problem in my blog, and there are a LOT, have been fixed (so far) with the new 6.2.3/6.3 code…
      I’ve upgraded 40 customers and had no issues on the upgrade and almost all of the problems have been fixed, with some customer running 6.3 code as well as a beta from cisco…

  2. Hi Todd

    The painful part about the FTD upgrade to 6.2.3, is that, first FMC needs to be upgraded to 6.2.3, then FXOS code on the 4100 devices to be upgraded (standby first) to 2.3, then FTD on the 4100 devices (standby first) to 6.2.3

    Then hope you don’t get any calls :)

  3. I know this is an old topic, but I’ve just run into this issue with 6.2.3.13 version. Under the Platform Policy – Syslog servers there is a tick box (Allow user traffic to pass when TCP syslog server is down (Recommended to be enabled) that can completly stop all the traffic that are going through the device if the syslog server (in case of TCP) is not reachable. Good to know.

    1. This was a serious problem up until 6.3 and would make a FTD box a brick. Thats an old ASA command that didn’t allow traffic through if it couldn’t log with TCP. For some reason, that was enabled by default in FTD. Only starting in 6.3 did they disable that horrible feature by default.

Leave a Reply

Your email address will not be published.