This issue popped up after upgrading FirePOWER Management Center (FMC) from version 6.0.x to 6.1.x and re-hosting Sensors from one manager to the other.
As you upgrade Sensors to 6.1.x do not forget to match ASA code for FirePOWER devices based on the compatibility matrix.
Components:
Firepower Management Center: 6.0.1.2 -> 6.1.0.1
Upgrading to a more robust appliance should never be an issue but it is not the case with FMC (at least going from virtual to hardware).
If you are migrating FMC from virtual to hardware appliance backup/restore is not supported.
If backup/restore is not an option for you the best you can do is export policies from production FMC and import them back into new FMC. With that, some conflicts will need to be resolved manually and one of them is creating zones from scratch. No big deal. I’ve added zones, imported policies and started moving Sensors over to the new FMC just to find out under Device Management settings that zones are coming up as Unknown.
Interestingly enough under Objects > Interfaces all zones seemed to be in order.
Trying to apply policies will get you this error on any re-imported Sensor.
Rebooting Management Center (MC) and Sensor does not make any difference so this is what I ended up doing.
After checking with TAC this appeared to be a corruption of FMC database and required developer level access to run SQL queries to fix it. If you do not have time to wait you can try fixing it by deleting and recreating zones manually through the GUI. Before you can do that you will need to remove zones from all the policies where it is referenced. It is not necessary to deploy this changes which make it a bit easier. So the process will be as following:
Step 1. Under Device Management > Interfaces set all zones to None
Step 2. Under Policies change rule zones to any. Do same under Security Intelligence tab.
Step 3. Delete zones under Objects > Object Management > Interfaces and Save configuration.
Step 4. Repeat same steps backward: add the same zones back, update policy rules with new zones and reassign device interfaces to matching zones. Deploy when done.
When you re-host next production Sensor you still may get zones without interfaces error. This time just change it back and forth by setting them all to None under Device Management, then Save and changing it back to original zone.
Depending on the complexity of Access Control Policy rules working with TAC engineers may still be the proper way to address this issues but in my case due to time constraints workaround was successful in restoring full functionality.
P.S. Another way I found to fix zone issue is to rename the zones under Objects > Object Management > Interfaces. I’ve added 2 to the end, saved and deployed. After that, all zones changed from unknown to proper names. When all is working you can change it back to the original naming convention.
P.P.S. Apparently, this bug also affects user based authentication rules. If you have rules allowing/denying access based on AD groups you may not see correct action applied. To fix it delete AD groups from the rule, save it, add groups back in and deploy policy.
1 comments On Cisco FirePOWER Management Center: Zone Unknown
Hi.
Good post.
I ran into similar issue, but I did not get zone to interface warning. But for me traffic was not hitting any access control policies with zones in the rule. If zone is kept any traffic was matching the rule.
Do you have bug ID which you ran into. Also do u know command to check by cli.. For interface to zone mappings.
Thanks..