71 Comments

  1. Jonathan
    April 29, 2019 @ 8:41 am

    Did you upgrade the FTD to 6.4 as well and then test Deploy time? Or did you only upgrade the FMC? I believe you will see an improvement in deploy time once both devices are on same version.

    Reply

    • lammle
      April 29, 2019 @ 8:43 am

      Hi Jonathan, thank you for your post
      I did both, and I received the same deploy time with both, which were the same as 6.2.3/6.3 deploys
      I have a full class this week and I will get a lot of perspective with the code!
      I’ll post again at the end of this week!
      Todd

      Reply

      • Jonathan
        April 29, 2019 @ 8:52 am

        I will update you on our deploy times once I upgrade (currently on 6.2.3). I have heard of others saving a few minutes on deploy. Hopefully it helps us.

        Reply

        • lammle
          May 1, 2019 @ 6:55 pm

          so I added two 6.4 devices and the deploy time was a lot faster, but it’s not apples to apples, as the 6.4 devices had 16G or Ram and 8 cores, more than twice my other devices

          Reply

          • Jonathan
            May 4, 2019 @ 8:50 am

            Cool. I upgraded one 2110 FTD and now our WCCP redirect isn’t working and getting two security intelligence list feed errors. Not cool.

    • Roy
      May 7, 2019 @ 1:06 pm

      Just sharing my deploy time experience. I have 3 2110 FTD’s talking to a Virtual FMC. The FTD’s are all configured the same with 1Gb interfaces. Right now I have 2 at 6.3.0.3 and one at 6.4.0. First of all I saw a significant deploy reduction when I went from 6.2.3.x to 6.3.x. I cut about 30 to 40 seconds on average off the deploy times after I switched. I could easily confirm this by only upgrading one FTD and then deploying the exact same config to all 3. The one that was upgraded to 6.3 always deployed faster. I did this same test after upgrading the one to 6.4.0 and so far I have not seen any improvement over 6.3. All of my deployments have been the same over all 3 FTD’s. I am looking at about 1:35 deploy times. That does bring up a curious question. What general deploy times are you guys seeing?

      Reply

      • lammle
        May 7, 2019 @ 3:28 pm

        I have two 5506 FTD with 6.2.3 and two vFTDs with 6.4
        the 6.4 code are faster, but it’s not a fair comparison as the 6.4 has 8 cores and 16G or ram….
        I’m seeing upward of 6 minutes, with all policies configured..

        Reply

  2. Steve Drzaszcz
    April 29, 2019 @ 10:13 am

    Is it worth it to sunset 5506-X devices that can never get to 6.4? 6.4 FMC still allows for management of them even if they are only on 6.2.3 right?

    Reply

    • lammle
      April 29, 2019 @ 11:58 am

      they are going to announce the new 1000 FTD series at Cisco Live, so don’t buy anymore 5506’s!!

      Reply

    • lammle
      April 29, 2019 @ 11:59 am

      yes, you can use the 6.2.3.10 code for a long time!

      Reply

  3. tewv.networks
    May 1, 2019 @ 9:51 am

    Can anyone give me info on WCCP configuration, we have FTD’s 2120’s and want to use Baraacuda devices but not inline, HELP

    Reply

  4. Roy
    May 3, 2019 @ 1:12 pm

    Hey Todd,

    I upgraded FMCv and 1 FTD to 6.4.0 from 6.3.0.2 and under Status|Product Updates FMCv shows Current 6.4.0 and Latest 6.4.0. But the FTD’s show Current 6.3.0.2 and 6.4.0 but the Latest show 2019. Have you seen this on any of your deployements?

    Reply

    • lammle
      May 4, 2019 @ 8:55 am

      you mean one 2110 to 6.4? Yea, it’s not ready yet. I had too many problems this last week. 6.3.0.2 is great…wait for 6.4.0.1

      Reply

      • Jonathan
        May 4, 2019 @ 9:19 am

        Yes. To 6.4. HA FMC pair upgraded fine and don’t see any issues with that.

        Time for TAC I guess. That’s too bad. Was hoping for no issues.

        Reply

        • lammle
          May 4, 2019 @ 9:27 am

          so most of 6.4 worked fine, yes, but we found issues and I haven’t had time write them up yet….we found a serious issue, and then a few not so serious issues….I’ll create a new post soon…
          Jonathan, always just ping me before you upgrade, I won’t mind getting an email…about 100 people do every time code comes out…I get to test it seriously in production (not beta, but in real life area’s) when it is released. my response to my customers were NO on 6.4 for now…there is great stuff here, just wait for 6.4.0.1

          Reply

          • Jonathan
            May 4, 2019 @ 6:23 pm

            5 hours on phone with TAC. 6.4 breaks WCCP. Had to reimage production firewall. 2110 FTD. Not fun.

          • lammle
            May 4, 2019 @ 6:48 pm

            Did they not know this, and why it took so long? No, that is not fun….we’ll have to remember to never do a .0 code again! Sorry Jonathan!

          • Earl G
            May 21, 2019 @ 12:00 pm

            Im glad Im reading over these comments before upgrading my customer over to 6.4

          • lammle
            May 21, 2019 @ 12:20 pm

            Hi Earl, yes, you should read all my posts on 6.4, and now 6.4.0.1
            there are some great features with 6.4, and 6.4.0.1 solved the problems I mention in this post
            thanks for writing
            Todd

    • Jonathan
      May 5, 2019 @ 12:02 pm

      Roy, yes, my FMC is doing same thing. Showing 2019 as latest for FTDs. Pretty annoying.

      Reply

      • Roy
        May 5, 2019 @ 9:10 pm

        Thanks Jonathan for confirmation. I’m glad you guys brought up the issues before I upgraded my production FTD’s. I did upgrade FMC though. Should I revert that back to 6.3 or will I be ok with Judy leaving the FTD’s at 6.3?

        Reply

        • Roy
          May 5, 2019 @ 9:15 pm

          Thanks Jonathan for confirmation. I’m glad you guys brought up the issues before I upgraded my production FTD’s. I did upgrade FMC though. Should I revert that back to 6.3 or will I be ok with just leaving the FTD’s at 6.3?

          Reply

          • lammle
            May 6, 2019 @ 4:52 am

            I have mine at 6.4 and it is good, but I did have the Firepower Network Discovery issue, but I used the workaround.

      • Roy
        May 6, 2019 @ 7:18 am

        So my Geo-location updated to the latest version over the weekend and now my latest is showing correctly. Can’t say for sure that is what cleared it up but that is the only thing that changed.

        Reply

        • lammle
          May 6, 2019 @ 7:22 am

          Thanks, Roy, for all your posts and information! Very helpful

          Reply

        • Jonathan
          May 10, 2019 @ 7:12 am

          Roy,

          Yes, mine is fixed now too. Showing correct update version. No more 2019 (which didn’t even make sense)

          Reply

  5. lammle
    May 6, 2019 @ 4:55 am

    There is a bug you need to be aware of!
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-asa-frpwrtd-dos

    Make sure you are running one fo these FTD codes:
    6.2.3.12, 6.3.0.3 or 6.4.0

    Reply

  6. tewv.networks
    May 7, 2019 @ 6:21 am

    Hi
    Anyone give me info on configuring the FTD for WCCP redirection to 3rd Party devices please.??

    Reply

    • lammle
      May 7, 2019 @ 6:47 am

      That is just one thing I have not done. I hope you find your solutions! Maybe call barracuda?

      Reply

    • lammle
      May 7, 2019 @ 6:49 am

      good morning. This is one thing I have not done, and I hope you find your solution soon. Did you call barracuda?

      Reply

    • Deepak Chauhan
      May 8, 2019 @ 3:57 am

      I have done this for Websense on FTD 6.2.3. Pretty simple. using flex config, as you do it regularly in ASAs.

      Reply

    • Jonathan
      May 10, 2019 @ 7:16 am

      Yes, you have to use FlexConfig. The setup is really the same as an ASA. There are guides online.

      Keep in mind our WCCP broke on 6.4. We had to go back to 6.2.3

      https://community.cisco.com/t5/firewalls/wccp-redirection-on-firepower-ftd-2110/td-p/3219612

      Reply

  7. Roy
    May 16, 2019 @ 8:41 am

    6.4.0.1 is out now. Has anyone tried it? Did it clear up the bugs in 6.4.0 if so?

    Reply

    • lammle
      May 16, 2019 @ 8:42 am

      Hi Roy, they list a couple fixes in the release notes, but Im at a customer and will need more time before I can get to this, but I will shortly! I know other people have started testing! Will post results!
      thank you!

      Reply

  8. Roy
    May 17, 2019 @ 8:37 am

    I just thought of something that has been annoying me since day one. I use a custom block page for URL filtering. Has anyone found a way to show the category of why the user was blocked? I have not been able to figure that out. Right now I just have it to where it shows the URL they accessed with a hyperlink to talos so they can click to show the category. But that is cumbersome and not very clean. I have been wanting to just integrate it directly into the page but can’t seem to get it going. If you have done this your help is greatly appreciated.

    Reply

    • lammle
      May 17, 2019 @ 8:45 am

      anyway to show me your custom block page? todd@lammle.com

      Reply

      • Roy
        May 17, 2019 @ 11:50 am

        Alright I got wrapped up but you should have it.

        Reply

  9. Roy
    May 21, 2019 @ 3:36 pm

    Got a new one for you guys. FMCv is 6.4.0.1 FTD 2110 is 6.3.0.3. Setup a correlation Policy to email on rule hits. The events are happening but nothing is emailing. I can see the events in correlation events to confirm and it shows the policy and rule being generated. I know email is working because the email relay test works and other events are emailing. Just none of the correlation events. Have any of you seen this or can duplicate? I did not have any setup before so I can’t say if it has ever worked on prior versions.

    Reply

    • Roy
      May 23, 2019 @ 6:59 am

      Updated the FTD to 6.4.0.1 to see if that would be the fix and it is still not emailing. So it is either a problem with 6.4.0.1 or I have something horribly wrong going on. I did test the relay again to make sure it was working.

      Reply

      • Roy
        May 23, 2019 @ 9:51 am

        OK Nervermind. I found the reason why it isn’t working, “external email alerting is not supported for connection events”. Although not really sure why that isn’t an option.

        Reply

    • lammle
      May 24, 2019 @ 7:56 am

      So I have a lab that uses a rule when its hit that generates and email. I think if you were plain connection events, than that is the issue as you stated, but I know I can get it for a particular rule hit

      Reply

    • Jonathan
      May 24, 2019 @ 1:40 pm

      Roy,

      This worked for us in 6.2.3.6. Now that I went to FMC 6.4, it broke. No longer works. I am seeing the exact same thing you are.

      I have a TAC case open on it. They are trying to help me out. No luck as of yet.

      Reply

      • lammle
        May 24, 2019 @ 3:06 pm

        Jonathan, I knew I had that working in a lab before!

        Reply

      • lammle
        May 30, 2019 @ 2:03 pm

        Roy, did this get resolved?

        Reply

    • Jonathan
      June 10, 2019 @ 11:37 am

      Cisco is able to reproduce this in their LAB. I have a ticket with them. This seems like an issue in the 6.4 code.

      Reply

      • lammle
        June 10, 2019 @ 11:40 am

        Jonathan, did they not fix this in the 6.4.0.1 update?

        Reply

        • Jonathan
          June 10, 2019 @ 12:33 pm

          No they did not.

          Reply

        • Jonathan
          June 26, 2019 @ 12:59 pm

          Reply

          • lammle
            June 26, 2019 @ 1:13 pm

            still waiting for 6.4.0.2!

          • Roy
            June 26, 2019 @ 2:36 pm

            Sorry been away for a while. I didn’t get it working and thank you Jonathan for figuring out it is a bug. Kind of sucks that we have to wait that long for it to be fixed but at least they are looking into it.

  10. Brandon
    May 30, 2019 @ 1:56 pm

    Are the SNORT restart improvements to the point that when an IPS policy or VDB update is deployed it won’t cause traffic disruption? We use a pair of FTD 4110’s (on 6.2.3.10) as a datacenter firewall and one of the major headaches is not being able to update the IPS except during scheduled outage windows because these deployments always causes a 3-second disruption in traffic. This creates havoc with some of the more sensitive applications trying to communicate during this window a version that resolves this is highly anticipated for us.

    Thank you for makings these blog posts and sharing your experiences.

    Reply

    • lammle
      May 30, 2019 @ 2:03 pm

      Great, thank you for posting!
      3 seconds seems like a long time for a 4110. Its possible if you have a lot of big policies I suppose.
      The 6.4.0.1 seems faster, but only when I am running the devices and FMC all at 6.4.0.1
      I believe it would be faster than any version of 6.2.3, but you’d still have to test it.
      Been beating the hell out of 6.4.0.1 and it is pretty stable with good features. Maybe worth a try!
      Backup first! 🙂

      Reply

  11. Patrick Burke
    June 24, 2019 @ 12:08 pm

    I have been struggling to get DUO as a secondary server for RAVPN on FMC 6.4 has anyone got this working?

    Reply

    • lammle
      June 24, 2019 @ 12:51 pm

      I have not heard of this, no. Please keep us updated on your progress.

      Reply

  12. Roy
    June 27, 2019 @ 8:26 am

    6.4.0.2 is out now.

    Reply

  13. lammle
    June 27, 2019 @ 3:51 pm

    upgraded to 6.4.0.2
    took 1 hour 42 min from 6.4.0.1
    dang…

    Reply

  14. Matthew Rawles
    June 30, 2019 @ 7:35 am

    Hi

    We went from FMC (FMC4000) 6.3.0.1 to 6.4.0.2 on Thursday evenign last week and have had a loads of issues following the first deployment to larger devices (we have a lot of 55xx devices). 4 of our 5525 clusters stopped allowing dns, our two 5545 and 5555 clusters (used for Site2Site VPNs) started crashing with SNORT process issues (SNORT just craps out and following the initial deloy of updated SRU (first deploy updated snort then timed out, second+ deploy just timed out with “waiting for SNORT”). In the end i managed to deploy to one only after downing the interfaces on it and manually restarting the snort process. TAC have been zero help so far.

    I have a TAC call open, the only way to get the devices operational was to switch off most of the network analysis rules and set the firewall to any-any allow. We think it’s the IPS rule set that is teh cause of all this and somethign fried it when we went to 6.4.0.2.

    We have been desperate for this upgarde as our deployment screen had got to 5 minutes plus before offering a device to deploy and this version fixes that.

    Regards

    Matthew

    Reply

    • lammle
      June 30, 2019 @ 7:49 am

      Matthew, turning your devices into hubs isn’t much of a solution, but one I see way too often
      If you’d like, I’ll login with Webex with you and take a look with you. email me todd@lammle.com

      Reply

      • Matthew Rawles
        July 1, 2019 @ 4:02 pm

        Its an offical bug https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq34224 – Severity:
        1 Catastrophic – thanks for the offer to help, the nice people at TAC seem to be on the case so we will see what tomorrow brings!

        Reply

        • Todd
          July 1, 2019 @ 4:07 pm

          okay, please let us know what happened

          Reply

          • Matthew Rawles
            July 6, 2019 @ 3:11 am

            Hi

            Cisco released 6.4.0.2-35 this week and pulled 6.4.0.2-34, plus they release Hotfix F

            Apparently if you went up to 6.2.3.14, 6.3.0.4 or 6.4.0.2 (FMC only) and you had any HA devices you could have the symptoms we had (basically the firewall stops working, snort crashs, HA fails etc..)

            They have updated the bug report

            https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq34224

            I even had an email from Cisco warning me becuase i’d downloaded the 6.4.0.2-34

            Our records indicate that you have recently downloaded a Firepower 6.4.0.2-34 image from Cisco.com. A bug was found on this version that impacts Firepower Threat Defense (FTD) devices when deployed in High Availability (HA) mode. This bug, CSCvq34224, can cause failures to occur in the detection engine, resulting in traffic disruptions. In some cases this may also result in failovers and deployment failures.

            The problem may not be immediately observed upon upgrade. Once the management device is updated, and a deployment is done, the symptoms of this bug may be encountered.

            NOTE: If you are NOT using Firepower Threat Defense in High Availability (HA) mode, this bug will not impact you and no action is required, even if you have installed the impacted version.
            NOTE: If you are using Firepower Threat Defense in High Availability mode, and have already updated to the impacted version but have not encountered the issue, it is still highly recommended that you follow the steps below to avoid encountering the issue.

            What to do if you have already installed 6.4.0.2-34:
            Install 6.4.0 Hotfix F (from CCO) on both FMC and managed devices

            Cisco recommends that you install the hotfix on all devices, starting with the management device. If your Firepower Threat Defense High Availability pair is managed by an FMC it is not required to update the FTD devices, but it is recommended in the event that you want to use Firepower Device Manager (FDM) to manage these devices in the near future.

            What to do if you have downloaded 6.4.0.2-34 but have not yet installed it:
            You should delete the build 34 patch (i.e. Cisco_Firepower_Mgmt_Center_Patch-6.4.0.2-34.sh.REL.tar) and download the build 35 patch from CCO (i.e. Cisco_Firepower_Mgmt_Center_Patch-6.4.0.2-35.sh.REL.tar) and install this instead.

            More information related to this issue can be found at the following link:
            https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq34224

            Regards

            Matthew

          • lammle
            July 6, 2019 @ 7:21 am

            thanks, Matt, for letting us know about this! We had some issues in class and I couldn’t figure out what was wrong with our HA!

          • Jonathan
            July 8, 2019 @ 6:30 am

            So did the FTD devices have to be on 6.4 code as well? Or just the FMC?

            I have installed 6.4.0.2-34 and have HA pairs but have not noticed any issues that I can tell. Our FTD devices are not on 6.4 however.

  15. lammle
    July 8, 2019 @ 6:34 am

    Jonathan, I had all my devices as 6.4.0.x and we had the problem constantly.
    thanks for posting!

    Reply

  16. Roy
    July 8, 2019 @ 6:43 am

    Another unrelated question. I have been having a problem since day 1 of installing my 2110’s. I have a VPN tunnel between two of them and I can only get around 120Mb across the tunnel even though the circuits at both ends are 1Gb and I can get those speeds over the internet, just not the tunnel. I have had Cisco working on it for months. On my 5th Engineer now. Has anyone setup a tunnel with the FTD’s, especially the 2110, and if so, have you gotten full speeds?

    Reply

  17. Jonathan
    July 19, 2019 @ 12:00 pm

    The new GUI hit counter is not accurate. Have you noticed that? I do not know where they are getting the hits from for that. I don’t think they are combining the hits from the different parts of the system (access-control-config vs. access-list)

    Depending on what type of rule and traffic, it could make a hit in either of those access lists.

    The GUI hit counter is not even close to some of my CLI output hit counters. I was excited for this in 6.4 but now can’t even trust it anyway seems like.

    Reply

    • lammle
      July 19, 2019 @ 12:05 pm

      that’s correct. I have opened two different tickets on this. It’s useless as is.

      Reply

      • Jonathan
        July 19, 2019 @ 12:10 pm

        Yes, I agree. Lots of “0” hits, but that doesn’t mean you can remove the rule cause I see hits in the CLI in one or the other lists. Crazy!! Who the heck is programming this stuff??? 🙂

        Reply

  18. lammle
    July 19, 2019 @ 12:39 pm

    yea, but at least I have got to the top and they are seriously working on it…they can reproduce easily enough

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *