Friday, August 17, 2018
The Routing Table
Security 

FMC – An internal error is preventing the system from validating this policy.

Kevin Blackburn 0 Comments ,

Have you ever been working on an access policy in Cisco Firepower Management Center and then seen the following error pop up when you opened or saved a policy:

An internal error is preventing the system from validating this policy. If the policy is misconfigured, deploying configuration changes may fail or your changes may not work as expected. Contact Support for assistance.
You have? So have I. This happened to me today. From the message and past experience I figured there was a config error that caused validation to fail. I did have this occur in the past where something within the zone configuration of a rule was incorrect. Fixing that issue stopped the error message. So first thing I did today was run through any recent access policy changes to make sure all looked good. Everything checked out. Zones, IP addresses, ports…. everything was dead on. So I hit hit the web and started searching. Then I found a bug case that matched what I was seeing: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvi63968
This bug was related to the Tomcat service within the FMC itself. The bug wanted a single command executed to restart the service on the FMC server:

pmtool restartbyid Tomcat

My web interface then showed that system services were restarting when I tried FMC again. As soon as that wrapped up, I went right back in to try to open that same access policy I was trying before. It opened….and I never received the error. Worked like a charm!

As always, this helped me, but things may be different for you. Consult TAC as needed. In this case, the command executed and resolved the issue with no service interruptions for any of my firewalls. Consider it similar to rebooting your FMC, your firewalls continue to function. Took me a bit to find this bug for some reason, so hopefully this post can help someone in the future!

Facebooktwittergoogle_plusredditpinterestlinkedintumblrmail
Kevin Blackburn

Kevin Blackburn

Cisco CCNP, Senior Network Engineer in the Healthcare Industry. Currently working on my CCIE R&S which is the focus of most of my latest blog posts. #NFD15 Delegate.

You May Also Like

Firepower 4100/9300 – Reset to Factory Default

Kevin Blackburn0
Remote-Firepower-Firewall-Example-Topology

Add Remote Firepower Firewall to Firepower Management Center

Kevin Blackburn2

Connect Firewall to FMC Through NAT Device

Kevin Blackburn0

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.