FMC – An internal error is preventing the system from validating this policy.

By
Kevin Blackburn
-
0
2017

Have you ever been working on an access policy in Cisco Firepower Management Center and then seen the following error pop up when you opened or saved a policy:

An internal error is preventing the system from validating this policy. If the policy is misconfigured, deploying configuration changes may fail or your changes may not work as expected. Contact Support for assistance.
You have? So have I. This happened to me today. From the message and past experience I figured there was a config error that caused validation to fail. I did have this occur in the past where something within the zone configuration of a rule was incorrect. Fixing that issue stopped the error message. So first thing I did today was run through any recent access policy changes to make sure all looked good. Everything checked out. Zones, IP addresses, ports…. everything was dead on. So I hit hit the web and started searching. Then I found a bug case that matched what I was seeing: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvi63968
This bug was related to the Tomcat service within the FMC itself. The bug wanted a single command executed to restart the service on the FMC server:

pmtool restartbyid Tomcat

My web interface then showed that system services were restarting when I tried FMC again. As soon as that wrapped up, I went right back in to try to open that same access policy I was trying before. It opened….and I never received the error. Worked like a charm!

As always, this helped me, but things may be different for you. Consult TAC as needed. In this case, the command executed and resolved the issue with no service interruptions for any of my firewalls. Consider it similar to rebooting your FMC, your firewalls continue to function. Took me a bit to find this bug for some reason, so hopefully this post can help someone in the future!

RELATED ARTICLESMORE FROM AUTHOR

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.