Troubleshoot FTD Cluster Data Node Failure to Join the Cluster after Software Upgrade

Available Languages

Download Options

  • PDF     (24.1 KB)
    View with Adobe Reader on a variety of devices
Updated:May 14, 2026
Document ID:225911

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Contents

Issue

After the software upgrade, the Secure Firewall Threat Defense (FTD) cluster data node fails to join the cluster. These symptoms are observed:


1. The output of the show cluster history shows the “Configuration replication failed” error message with the transition of the unit from the DATA_NODE_CONFIG to the DISABLED state: 

> show cluster history


09:52:55 UTC May 8 2026
DISABLED              ELECTION              Enabled from CLI

09:52:55 UTC May 8 2026
ELECTION              ONCALL                Event: Cluster unit unit-1-1 state
                                            is CONTROL_NODE

09:52:55 UTC May 8 2026
ONCALL                DATA_NODE_COLD        Received cluster control message

09:52:55 UTC May 8 2026
DATA_NODE_COLD        DATA_NODE_APP_SYNC    Client progression done

09:54:39 UTC May 8 2026
DATA_NODE_APP_SYNC    DATA_NODE_CONFIG      Data node application configuration sync done

09:54:53 UTC May 8 2026
DATA_NODE_CONFIG      DISABLED              Configuration replication failed


2. Files /mnt/disk0/cluster_trace.log* contain messages related to the configuration replication failure of the key command and the transition of the cluster to the DISABLED state:

May 08 09:54:50.538 [INFO]start to monitor Port-channel47
May 08 09:54:50.538 [DBUG]Send CCP message to all: CCP_MSG_HWIDB_STATE
May 08 09:54:50.568 [INFO]start to monitor Ethernet1/5
May 08 09:54:50.568 [DBUG]Send CCP message to all: CCP_MSG_HWIDB_STATE
May 08 09:54:50.738 [CRIT]Config syncing failure: context single_vf, line 1027, CLI " key <key>".
May 08 09:54:50.748 [DBUG]Send event (PROGRESSION_FAILURE, n/a, n/a, 94350991600520) to FSM. Current state DATA_NODE_CONFIG
May 08 09:54:50.748 [INFO]cluster_fsm_disable: The clustering re-enable timer is stopped.
May 08 09:54:50.748 [DBUG]Send CCP message to all: CCP_MSG_QUIT from unit-2-1 for reason CLUSTER_QUIT_REASON_RETIREMENT
May 08 09:54:50.748 [DBUG]Send event (CONTROL_NODE_GONE, n/a, n/a, 94350991600224) to FSM. Current state DISABLED


3. Files /ngfw/var/log/ASAconsole.log* also contain messages related to the configuration replication failure of the key command and the transition of the cluster to the DISABLED state:

2026-05-08 09:49:51 Detected Cluster Control Node.
2026-05-08 09:50:01 Beginning configuration replication from Control Node.

2026-05-08 09:50:02 livecore enabled
2026-05-08 09:50:02 ........................
2026-05-08 09:50:02  key <key>
2026-05-08 09:50:02      ^
2026-05-08 09:50:02 ERROR: % Input should be less than 64 characters at '^' marker.
2026-05-08 09:50:02 *** Output from config line 1027, " key <key>..."
2026-05-08 09:50:02
2026-05-08 09:50:02 Failed configuration replication from Control Node.
2026-05-08 09:50:02 Cluster disable is performing cleanup..done.
2026-05-08 09:50:04 Unit unit-2-1 is quitting due to system failure for 3 time(s) (last failure is Internal clustering error). Rejoin will be attempted after 20 minutes.

Environment

  • Firepower 4145 with FTD in multi-instance cluster deployment. Clusters running on Firepower 4100/9300 in multi-instance or native mode deployments are also affected.

  • The FTD cluster is FMC-managed.

  • FTD software version is upgraded from 7.6.2 to 7.6.4. Other source or target software versions can also be affected.

Resolution

Initially the cluster key was configured as a 64-character length string. According to the Logical Device section in the Secure FXOS for Firepower 4100/9300 CLI or Chassis Manager (FCM) configuration guide, the cluster key is an ASCII string from 1 to 63 characters. Therefore, the cluster key was reduced to less than 64 characters in length using the FCM user interface Logical Devices settings.

Cause

Although the limitation of maximum length for the cluster key is documented, it is not enforced at the FXOS software level (FXOS CLI or FCM). Users are allowed to configure cluster keys with exceeding number of characters. Despite the maximum number of characters, the units can still join the cluster in version 7.6.2. After the upgrade, however, the software enforces the validation of the key length that results in failure to join the cluster. This is a behavior change that is not documented. These symptoms are internally reproduced and tracked in Cisco bug ID CSCwn53819.

Additionally, as part of the reproduction efforts, Cisco bug ID CSCwu35563 and Cisco bug ID CSCwu35553 were submitted to track the lack of cluster key length validation on FCM and FXOS CLI respectively.

Related Content

Revision History

Revision Publish Date Comments
1.0
14-May-2026
Initial Release
TAC Authored

Contributed by Cisco Engineers

  • Ilkin Gasimov
    Cisco TAC Engineer
  • Mikis Zafeiroudis
    Cisco TAC Engineer

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products