Don’t configure Security Zones on Cisco 4100’s before creating HA Group!


Odd to me that I can’t configure security zones on a Cisco’s new 4100 FTD devices before I create a HA pair.
Worked in Indianapolis last week and setup a pair of 4100’s running as FTD….started the HA pairing Friday and Monday it was still going.

The customer then found this bug listed on cisco:

FTD HA creation failed due to DB lock issue
HA not formed successfully.

Large number of security zones configured

Create HA pair first and then associate Security zones. Don’t perform any activity on FMC while HA formation is in progress

So, short version of issue:
Don’t assign security zones to interfaces before HA establishment. This also means that when registering the FTD to the FMC, use an access policy that doesn’t contain any security zones or else the deployment will fail.

So, when does this get fixed? In 6.2.1 code which is out in May – BUT ONLY for 2100 devices! 6.2.1 will not be available for anything BUT the 2100’s!

This does NOT fix this issue for the 4100/9300! 6.2.2 will be available late July for the other devices….

May:Firepower 6.2.1/ASA 9.8.1 for 2100 device only
· Firepower 2100 series support with Firepower Threat Defense
· Remote Access VPN capabilities for the Firepower 2100 (running Firepower Threat Defense)
· ASA 9.8.1 only, features MOBIKE, VTI

July: Firepower 6.2.2/ASA 9.8.2 for other devices
4100/9300, 5506-5555 support. Also, remote Access VPN will finally become available.


Want incredible training on Cisco Firepower Threat Defense?
I have classes, books and more!

Leave a Reply

Your email address will not be published. Required fields are marked *