排除“远程FMC未成功更新”故障

简介

本文档介绍如何对“远程FMC未成功更新”进行故障排除。在更新此对等体之前，完成远程FMC上的更新。"

先决条件

要求

Cisco 建议您了解以下主题：

• Firepower Management Center (FMC)
• FMC CLI的基本知识。

使用的组件

本文档不限于特定的软件和硬件版本。

本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始（默认）配置。如果您的网络处于活动状态，请确保您了解所有命令的潜在影响。

背景信息

错误消息 

错误 "Remote FMC is not updated successfully. Complete the update on remote FMC before updating this peer" 当您尝试升级FMC高可用性(HA)对管理的设备时，会显示在FMC GUI上。此错误不允许启动受管设备的升级。以下是GUI中错误警报的显示方式：

也可以使用专家模式命令cat /var/log/httpd/httpd_error_log.1从FMC的CLI验证错误 | grep -i '远程FMC'。

> expert
root@FMC:~$ cat /var/log/httpd/httpd_error_log.1 | grep -i 'Remote FMC'

[Mon Jan 30 07:20:10.062741 2022] [cgi:error] [pid 5906] [client 192.168.1.10:45267] AH01215: (Remote FMC is not updated successfully. Complete the update on remote FMC before updating this peer.) in /usr/local/sf/htdocs/admin/update.cgi:331 at /usr/local/sf/lib/perl/5.10.1/SF.pm line 120.: /usr/local/sf/htdocs/admin/update.cgi, referer:  
[Mon Jan 30 07:22:43.370986 2022] [cgi:error] [pid 15376] [clien 192.168.1.10:45267] AH01215: (Remote FMC is not updated successfully. Complete the update on remote FMC before updating this peer.) in /usr/local/sf/htdocs/admin/update.cgi:331 at /usr/local/sf/lib/perl/5.10.1/SF.pm line 120.: /usr/local/sf/htdocs/admin/update.cgi, referer:  

错误原因

当HA中的两个FMC之间的软件补丁版本、漏洞数据库(VDB)版本、入侵规则(SRU)版本或地理定位数据库(GeoDB)版本不匹配时，会发生此错误。当列出的任何版本更新停滞或安装失败时，就会发生不匹配。当您在帮助>关于部分下从FMC UI检查版本时，不会看到此不匹配项，但建议您在两个FMC上检查此页面进行验证。

注意：使用此错误可以成功部署到受管设备，但软件升级无法启动。

识别问题

从GUI检查HA中FMC的版本

从FMC GUI中，转至Help > About以确认HA中两个FMC上的软件补丁、VDB、SRU和GeoDB的版本均相同。这些图像显示了来自GUI的HA中的两个FMC版本匹配的示例：

.              

从CLI在HA中验证FMC上VDB、SRU和GeoDB版本的安装状态

在FMC CLI的专家模式下，您需要验证VDB、SRU和GeoDB更新是否已完全安装在HA中的两个FMC上且无任何故障。

注意：在这些部分中，说明如何检查每个映像版本文件夹的status.log。这些映像版本文件夹必须与对等FMC上的文件夹匹配。例如，如果安装在FMC上的VDB版本文件夹是“vdb-4.5.0-338”，则您必须在同一文件夹下检查两个FMC。此处，在两个FMC上使用命令cat /var/log/sf/vdb-4.5.0-338/status.log检查VDB的更新状态。同样适用于SRU和GeoDB更新。

检查VDB安装状态

在FMC CLI的专家模式下，使用此命令cat /var/log/sf/<vdb-image-folder>/status.log 验证VDB更新是否成功。以下是VDB成功安装的示例：

root@FMC:~$ cat /var/log/sf/vdb-4.5.0-338/status.log
state:running
ui:The install has begun
ui:[ 0%] Running script pre/000_start.sh...
ui:[ 4%] Running script pre/010_check_versions.sh...
ui:[ 8%] Running script pre/011_check_versions.pl...
ui:[12%] Running script pre/020_check_space.sh...
ui:[15%] Running script pre/500_stop_rna.pl...
ui:[19%] Running script pre/999_finish.sh...
ui:[23%] Running script installer/000_start.sh...
ui:[27%] Running script installer/100_install_files.pl...
ui:[31%] Running script installer/200_install_fingerprints.sh...
ui:[35%] Running script installer/300_install_vdb.sh...
ui:[38%] Running script installer/400_install_rdps.pl...
ui:[42%] Running script installer/420_delete_obsolete_ids.pl...
ui:[46%] Running script installer/450_resave_detectors.pl...
ui:[50%] Running script installer/525_export_compliance_policies.pl...
ui:[54%] Running script installer/600_fix_dbcheck.sh...
ui:[58%] Running script installer/605_install_dbcheck_upgrade_script.sh...
ui:[62%] Running script installer/610_install_missing_upgrade_script.sh...
ui:[65%] Running script installer/615_purge_vdb_149_log.sh...
ui:[69%] Running script installer/900_update_version.sh...
ui:[73%] Running script installer/901_update_db_version.pl...
ui:[77%] Running script installer/950_reapply_to_sensor.pl...
ui:[81%] Running script installer/975_export_data.pl...
ui:[85%] Running script installer/999_finish.sh...
ui:[88%] Running script post/000_start.sh...
ui:[92%] Running script post/500_start_rna.pl...
ui:[96%] Running script post/999_finish.sh...
ui:[100%] The install completed successfully.
ui:The install has completed.
state:finished

检查SRU安装状态

在FMC CLI的专家模式下，使用命令cat /var/log/sf/<sru-image-folder>/status.log 验证SRU更新是否成功。以下是SRU成功安装的示例：

root@FMC:~$ cat /var/log/sf/sru-2021-05-03-001-vrt/status.log
state:running
ui:The force install has begun.
ui:[ 0%] Running script pre/000_start.sh...
ui:[ 5%] Running script pre/010_check_versions.sh...
ui:[11%] Running script pre/020_check_space.sh...
ui:[16%] Running script pre/999_finish.sh...
ui:[21%] Running script installer/000_start.sh...
ui:[26%] Running script installer/050_sru_log_start.pl...
ui:[32%] Running script installer/100_install_files.pl...
ui:[37%] Running script installer/510_install_policy.pl...
ui:[42%] Running script installer/520_install_rules.pl...
ui:[47%] Running script installer/521_rule_docs.sh...
ui:[53%] Running script installer/530_install_module_rules.pl...
ui:[58%] Running script installer/540_install_decoder_rules.pl...
ui:[63%] Running script installer/602_log_package.pl...
ui:[68%] Running script installer/900_update_version.sh...
ui:[74%] Running script installer/999_finish.sh...
ui:[79%] Running script post/000_start.sh...
ui:[84%] Running script post/500_copy_contents.sh...
ui:[89%] Running script post/900_iru_log_finish.pl...
ui:[95%] Running script post/999_finish.sh...
ui:[100%] The force install completed successfully.
ui:The force install has completed.
state:finished

检查GeoDB安装状态

在FMC CLI的专家模式下，使用命令cat /var/log/sf/<geodb-image-folder>/status.log 验证GeoDB更新是否成功。以下是GeoDB成功安装的示例：

root@FMC:~$ cat /var/log/sf/geodb-2022-08-02-100/status.log
state:running
ui:The install has begun.
ui:[ 0%] Running script installer/200_prechecks.pl...
ui:[33%] Running script installer/500_install_country_map.pl...
ui:[67%] Running script installer/601_fix_country.pl...
ui:[100%] The install completed successfully.
ui:The install has completed.
state:finished

如果安装失败或由于任何原因而中断，您可以从status.log中看到此失败或停滞的步骤。以下是FMC上GeoDB安装失败的示例：

root@FMC:~$ cat /var/log/sf/geodb-2022-07-17-100/status.log
state:running
ui:The install has begun.
ui:[ 0%] Running script installer/200_prechecks.pl...
ui:[33%] Running script installer/500_install_country_map.pl...
ui:[67%] Running script installer/601_fix_country.pl...
ui:[67%] Fatal error: Error running script installer/601_fix_country.pl

从CLI验证HA中FMC的软件版本和补丁的安装状态 

在FMC CLI的专家模式下，使用命令cat /etc/sf/patch_history验证两个FMC是否安装了相同的版本和修补程序。运行此命令可识别两个FMC上的任何不匹配。以下是CLI中补丁不匹配的示例： 

root@FMC:~$ cat /etc/sf/patch_history
6.2.3-83
6.6.0-90
6.6.4-59
6.6.5-81
Hotfix_DE-8__413769962     <<<<<<<<<<<  Here the FMC seems to have a Hotfix installation image that is not present from the other FMC

-------------------------------------------------------------------

root@FMC:~$ cat /etc/sf/patch_history
6.2.3-83
6.6.0-90
6.6.4-59
6.6.5-81        

要进一步检查FMC中热修复程序的安装是否成功，您需要检查此映像文件夹的status.log:

root@FMC:~$ cat /var/log/sf/Cisco_Firepower_Mgmt_Center_Hotfix_DE-6.6.5.2/status.log

ui:[98%] Upgrade complete
ui:[99%] Running script 999_finish/999_z_must_remain_last_finalize_boot.sh...
ui:[99%] Running script 999_finish/999_zz_install_bundle.sh...
ui:[100%] The system will now restart services.
ui:System will now restart services.
ui:[100%] Installation completed successfully.
ui:Upgrade has completed.
state:finished

此示例验证补丁映像不存在于HA中的一个FMC中，而另一个已成功安装补丁。 

故障排除

要解决此错误，您必须从FMC的CLI执行手动强制安装更新，在此发现问题。 

Disclaimer: Root access to the FMC devices is required in order to execute the commands under this section. Please use caution when running commands from the root of the FMC. 

VDB、SRU和GeoDB更新问题

确定VDB、SRU或GeoDB更新问题后，请通过CLI命令install_update.pl /var/sf/updates/<image-file> —force执行手动强制安装。以下是GeoDB更新的手动强制安装示例：

> expert
root@FMC:~$ sudo su
<Enter the root password>
root@FMC:# install_update.pl /var/sf/updates/Cisco_Firepower_GEODB_FMC_Update-2022-08-02-100.sh.REL.tar --force

注意：使用install_update.pl命令使用映像文件的绝对路径，如示例所示。在强制从CLI安装之前，请勿取消任何tar.gz文件。

修补程序安装问题

对于修补程序/修补程序安装，您需要下载修补程序文件并将其安装到FMC，其中修补程序文件不通过GUI或CLI存在。

从FMC GUI: 

转至System > Updates > Product Updates并上传要安装的补丁版本。然后单击Install选项并选择需要安装补丁的设备，然后继续安装。 

  

从FMC CLI:

要从FMC CLI安装软件/补丁，请将修补程序升级文件上传到FMC CLI上的路径/var/log/sf/ ，然后执行命令install_update.pl /var/log/sf/<image-file>。此命令在同一屏幕上运行升级日志，以便我们监控进度。以下是从CLI安装补丁的示例：

> expert
root@FMC:~$ sudo su
<Enter the root password>
root@FMC:# install_update.pl /var/log/sf/Cisco_Firepower_Mgmt_Center_Hotfix_DE-6.6.5.2 

如果SSH会话超时，请使用命令install_update.pl - detach /var/log/sf/<image-file> 在后台运行安装。这样，即使在SSH会话关闭后，升级也能运行。

验证

VDB、SRU或GeoDB更新

手动强制安装完成后，可以使用cat /var/log/sf/<image-version-folder>/status.log 命令从CLI验证安装状态，以进行VDB、SRU和GeoDB更新。以下是GeoDB成功安装的status.log输出的示例：

root@FMC:/Volume/home/admin# cat /var/log/sf/geodb-2022-08-02-100/status.log
state:running
ui:The force install has begun.
ui:[ 0%] Running script installer/200_prechecks.pl...
ui:[33%] Running script installer/500_install_country_map.pl...
ui:[67%] Running script installer/601_fix_country.pl...
ui:[100%] The force install completed successfully.
ui:The force install has completed.
state:finished

修补程序或修补程序更新

手动安装更新后，从CLI执行命令cat /var/log/sf/<patch-image-folder>/status.log以验证此安装的状态。以下是成功安装的status.log输出的示例：

root@FMC:/var/log/sf/Cisco_Firepower_Mgmt_Center_Hotfix_DE-6.6.5.2# tail -f status.log
ui:[98%] Upgrade complete
ui:[99%] Running script 999_finish/999_z_must_remain_last_finalize_boot.sh...
ui:[99%] Running script 999_finish/999_zz_install_bundle.sh...
ui:[100%] The system will now restart services.
ui:System will now restart services.
ui:[100%] Installation completed successfully.
ui:Upgrade has completed.
state:finished

注意：如果您尝试执行本文档中提供的步骤后，错误仍然存在，请向思科TAC提交服务请求。