One of my biggest frustrations with Cisco Firepower Threat Defense is when deployment gets stuck. Normally 1-3 minutes is all it takes to deploy change after making it but once you see it go back 5 or 10 you usually have a problem. Some screenshots online have hours and even hundreds of hours basically it never finishes. Usually this is caused by two problems. One you can back off the change in the Firepower Management Console and remake it or two the firewall just needs to be rebooted before doing either you have to stop the job from deploying.
First we run Omniquery.pl
admin@myfmc:~# OmniQuery.pl -db mdb -e "select status,category,hex(uuid),body from notification;" | grep "\ 7\ "
Then we get the results and take the uuid
| 7 | task:category.149 | 000000610000BD2B000244600005009E | |
Take that uuid and enter it in this delete query
admin@myfmc:~# OmniQuery.pl -db mdb -e 'delete from notification where uuid=unhex("000000610000BD2B000244600005009E");'
Now check again to make sure its gone
admin@myfmc:~# OmniQuery.pl -db mdb -e "select status,category,hex(uuid),body from notification;" | grep "\ 7\ "
Sometimes the process above needs to be repeated a few times but once clean I usually reboot both my firewalls in the HA pair and then re deploy. Those of us who were in the early days of Firepower 6.x remember it often but this doesn’t happen much anymore but when it does its nice to have the fix above.
Here are a few references,
https://www.lammle.com/post/how-to-fix-a-stuck-cisco-firepower-ftd-deployment/
https://the-packet-thrower.com/2019/06/03/thatll-do-cancelling-a-stuck-firepower-deployment/
Leave a Reply