topic Re: Cannot Register SFR Module to FMC in Network Security

Cannot Register SFR Module to FMC

Matthew Martin — Fri, 21 Feb 2020 16:35:51 GMT

Hello All,

When attempting to Register a new SFR Module to our FMC I receive the message: "Could not establish a connection with device."

I know for sure the reg key is correct and I am able to ping each device from the other without issue.

The FMC device is located in our HQ and the SFR Module is located across WAN in a DR location. Also, I had no problems registering 2 other SFR modules which were located in the same physical location as the FMC.

I tried the "telnet <fmc_ipaddress> 8305" command from the SFR Module to the FMC, and receive the following message:

admin@ASASFR3:~$ telnet 192.168.2.20 8305
Trying 192.168.2.20...
telnet: connect to address 192.168.2.20: Connection refused

Log from /var/log/messages shows:

admin@ASASFR3:~$ tail -f /var/log/messages
Dec 20 22:35:26 ASASFR3 SF-IMS[11384]: [11401] sftunneld:tunnsockets [INFO] Accepted IPv4 connection from 192.168.2.20:55608/tcp
Dec 20 22:35:26 ASASFR3 SF-IMS[11384]: [17278] sftunneld:sf_ssl [INFO] Processing connection from 192.168.2.20:55608/tcp (socket 11)
Dec 20 22:35:33 ASASFR3 SF-IMS[11384]: [11402] sftunneld:sf_peers [INFO] Peer 192.168.2.20 needs a single connection
Dec 20 22:35:33 ASASFR3 SF-IMS[11384]: [11402] sftunneld:sf_connections [INFO] Start connection to : 192.168.2.20 (wait 44 seconds is up)
Dec 20 22:35:33 ASASFR3 SF-IMS[11384]: [17281] sftunneld:sf_peers [INFO] Peer 192.168.2.20 needs a single connection
Dec 20 22:35:33 ASASFR3 SF-IMS[11384]: [17281] sftunneld:sf_ssl [INFO] Connect to 192.168.2.20 on port 8305 - eth0
Dec 20 22:35:33 ASASFR3 SF-IMS[11384]: [17281] sftunneld:sf_ssl [INFO] Initiate IPv4 connection to 192.168.2.20 (via eth0)
Dec 20 22:35:33 ASASFR3 SF-IMS[11384]: [17281] sftunneld:sf_ssl [INFO] Initiating IPv4 connection to 192.168.2.20:8305/tcp
Dec 20 22:35:33 ASASFR3 SF-IMS[11384]: [17281] sftunneld:sf_ssl [INFO] Wait to connect to 8305 (IPv6): 192.168.2.20
Dec 20 22:35:33 ASASFR3 SF-IMS[11384]: [17281] sftunneld:sf_ssl [INFO] Connected to 192.168.2.20:8305 (IPv4)
Dec 20 22:37:10 ASASFR3 SF-IMS[25616]: [25616] CloudAgent:CloudAgent [INFO] IPRep, time to check for updates
Dec 20 22:37:10 ASASFR3 SF-IMS[25616]: [25616] CloudAgent:CloudAgent [INFO] ClamUpd, time to check for updates
Dec 20 22:37:56 ASASFR3 SF-IMS[11384]: [17278] sftunneld:sf_ssl [INFO] Wait SSL_accept_nb: TIMEOUT TO COMPLETE
Dec 20 22:37:56 ASASFR3 SF-IMS[11384]: [17278] sftunneld:sf_ssl [ERROR] Accept:SSL handshake failed
Dec 20 22:37:56 ASASFR3 SF-IMS[11384]: [17278] sftunneld:sf_ssl [WARN] SSL Verification status: ok
Dec 20 22:38:00 ASASFR3 SF-IMS[11384]: [11401] sftunneld:tunnsockets [INFO] Accepted IPv4 connection from 192.168.2.20:58792/tcp
Dec 20 22:38:00 ASASFR3 SF-IMS[11384]: [17403] sftunneld:sf_ssl [INFO] Processing connection from 192.168.2.20:58792/tcp (socket 11)
Dec 20 22:38:03 ASASFR3 SF-IMS[11384]: [17281] sftunneld:sf_ssl [INFO] Wait SSL_connect_nb: TIMEOUT TO COMPLETE
Dec 20 22:38:03 ASASFR3 SF-IMS[11384]: [17281] sftunneld:sf_ssl [ERROR] Connect:SSL handshake failed
Dec 20 22:38:03 ASASFR3 SF-IMS[11384]: [17281] sftunneld:sf_ssl [WARN] SSL Verification status: ok
Dec 20 22:38:03 ASASFR3 SF-IMS[11384]: [17281] sftunneld:sf_ssl [INFO] reconnect to peer '192.168.2.20' in 300 seconds
Dec 20 22:38:07 ASASFR3 SF-IMS[11384]: [11402] sftunneld:sf_peers [INFO] Peer 192.168.2.20 needs a single connection
Dec 20 22:38:07 ASASFR3 SF-IMS[11384]: [11402] sftunneld:sf_connections [INFO] Start connection to : 192.168.2.20 (wait 300 seconds is up)
Dec 20 22:38:07 ASASFR3 SF-IMS[11384]: [17408] sftunneld:sf_peers [INFO] Peer 192.168.2.20 needs a single connection
Dec 20 22:38:07 ASASFR3 SF-IMS[11384]: [17408] sftunneld:sf_ssl [INFO] Connect to 192.168.2.20 on port 8305 - eth0
Dec 20 22:38:07 ASASFR3 SF-IMS[11384]: [17408] sftunneld:sf_ssl [INFO] Initiate IPv4 connection to 192.168.2.20 (via eth0)
Dec 20 22:38:07 ASASFR3 SF-IMS[11384]: [17408] sftunneld:sf_ssl [INFO] Initiating IPv4 connection to 192.168.2.20:8305/tcp
Dec 20 22:38:07 ASASFR3 SF-IMS[11384]: [17408] sftunneld:sf_ssl [INFO] Wait to connect to 8305 (IPv6): 192.168.2.20
Dec 20 22:38:07 ASASFR3 SF-IMS[11384]: [17408] sftunneld:sf_ssl [INFO] Connected to 192.168.2.20:8305 (IPv4)

Any ideas on what the issue could be here? I have rebooted the FMC as well as re-installed SFR module on the ASA and it didn't seem to help.

Any thoughts or suggestions would be greatly appreciated.

Thanks in Advance,

Matt

Re: Cannot Register SFR Module to FMC

Sheraz.Salim — Thu, 20 Dec 2018 23:02:38 GMT

go into your firewall box ASA

and console to sfr

give this command

configure manager delete

than again

configure manager add <FireSIGHT MC IP> <Registration Key>

than try to register the sfr in FMC again.

Re: Cannot Register SFR Module to FMC

Matthew Martin — Thu, 20 Dec 2018 23:02:44 GMT

Thanks for the reply.

I've actually tried that a few different times now using different reg keys, but none made a difference.

Thanks again,

Matt

Re: Cannot Register SFR Module to FMC

Sheraz.Salim — Thu, 20 Dec 2018 23:04:40 GMT

please could you confirm the ASA model no and ASA software, FMC software version and SFR version

Re: Cannot Register SFR Module to FMC

johnd2310 — Fri, 21 Dec 2018 03:02:05 GMT

Hi,

Check compatibility between FMC and firepower module. Most new ASA firewalls come with firepower 5.4 which is not compatible with FMC running 6.x. You will need to upgrade the firepower module using ASDM to at least 6.1 and add to FMC.

You can see the compatibility list at the following url:

https://www.cisco.com/c/en/us/td/docs/security/firepower/compatibility/firepower-compatibility.html

Thanks

John

Re: Cannot Register SFR Module to FMC

Matthew Martin — Fri, 21 Dec 2018 17:46:47 GMT

ASA5515: ASA 5515-X with SW, 6 GE Data, 1 GE Mgmt, AC

ASA Version: 9.4(4)20

SFR Module: 6.2.3-83

FMC Server:

-Matt

Re: Cannot Register SFR Module to FMC

Matthew Martin — Fri, 21 Dec 2018 17:50:44 GMT

Thanks for the reply John.

I think I'm ok in terms of compatibility. SFR is running 6.2.3-83 and FMC is running 6.2.3.6.

-Matt

Re: Cannot Register SFR Module to FMC

Matthew Martin — Fri, 21 Dec 2018 19:00:40 GMT

After attempting to Register the device again, The netstat command shows the following:

FMC = 192.168.2.20

HQ ASA Primary SFR: 192.168.2.57

HQ ASA Secondary SFR: 192.168.2.58

DR ASA Primary SFR: 10.50.123.57

*The last one listed above is the one I'm trying to Register...

From the FMC VM:

admin@firepower:~$ netstat -pan | grep 8305
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp        0      0 192.168.2.20:8305       0.0.0.0:*               LISTEN      -                   
tcp        0   2515 192.168.2.20:59999      10.50.123.57:8305       ESTABLISHED -                   
tcp        0   2178 192.168.2.20:8305       10.50.123.57:50367      ESTABLISHED -                   
tcp        0      0 192.168.2.20:54469      192.168.2.57:8305       ESTABLISHED -                   
tcp        0      0 192.168.2.20:51725      192.168.2.58:8305       ESTABLISHED -                   
tcp        0      0 192.168.2.20:60542      192.168.2.58:8305       ESTABLISHED -                   
tcp        0      0 192.168.2.20:46581      192.168.2.57:8305       ESTABLISHED -

From SFR Module:

admin@ASASFR3:~$ netstat -pan | grep 8305
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp        0      0 10.50.123.57:8305       0.0.0.0:*               LISTEN      -                   
tcp        0      0 10.50.123.57:50367      192.168.2.20:8305       ESTABLISHED -                   
tcp        0      0 10.50.123.57:8305       192.168.2.20:59999      ESTABLISHED -

Here's /var/log/messages from both:

SFR Module:

Dec 21 18:45:06 ASASFR3 SF-IMS[15070]: [15078] sftunneld:sf_peers [INFO] Peer 192.168.2.20 needs a single connection
Dec 21 18:45:06 ASASFR3 SF-IMS[15070]: [15078] sftunneld:sf_connections [INFO] Start connection to : 192.168.2.20 (wait 4 seconds is up)
Dec 21 18:45:06 ASASFR3 SF-IMS[15070]: [15098] sftunneld:sf_peers [INFO] Peer 192.168.2.20 needs a single connection
Dec 21 18:45:06 ASASFR3 SF-IMS[15070]: [15098] sftunneld:sf_ssl [INFO] Connect to 192.168.2.20 on port 8305 - eth0
Dec 21 18:45:06 ASASFR3 SF-IMS[15070]: [15098] sftunneld:sf_ssl [INFO] Initiate IPv4 connection to 192.168.2.20 (via eth0)
Dec 21 18:45:06 ASASFR3 SF-IMS[15070]: [15098] sftunneld:sf_ssl [INFO] Initiating IPv4 connection to 192.168.2.20:8305/tcp
Dec 21 18:45:06 ASASFR3 SF-IMS[15070]: [15098] sftunneld:sf_ssl [INFO] Wait to connect to 8305 (IPv6): 192.168.2.20
Dec 21 18:45:06 ASASFR3 SF-IMS[15070]: [15098] sftunneld:sf_ssl [INFO] Connect to 192.168.2.20 failed on port 8305 socket 11 (Connection refused)
Dec 21 18:45:06 ASASFR3 SF-IMS[15070]: [15098] sftunneld:sf_ssl [INFO] No IPv4 connection to 192.168.2.20
Dec 21 18:45:06 ASASFR3 SF-IMS[15070]: [15098] sftunneld:sf_ssl [WARN] Unable to connect to peer '192.168.2.20'
Dec 21 18:45:06 ASASFR3 SF-IMS[15070]: [15098] sftunneld:sf_ssl [INFO] reconnect to peer '192.168.2.20' in 24 seconds
Dec 21 18:45:13 ASASFR3 SF-IMS[15070]: [15077] sftunneld:tunnsockets [INFO] Accepted IPv4 connection from 192.168.2.20:59999/tcp
Dec 21 18:45:13 ASASFR3 SF-IMS[15070]: [15101] sftunneld:sf_ssl [INFO] Processing connection from 192.168.2.20:59999/tcp (socket 11)
Dec 21 18:45:28 ASASFR3 SF-IMS[15070]: [15078] sftunneld:sf_peers [INFO] Peer 192.168.2.20 needs a single connection
Dec 21 18:45:28 ASASFR3 SF-IMS[15070]: [15078] sftunneld:sf_connections [INFO] Start connection to : 192.168.2.20 (wait 24 seconds is up)
Dec 21 18:45:28 ASASFR3 SF-IMS[15070]: [15111] sftunneld:sf_peers [INFO] Peer 192.168.2.20 needs a single connection
Dec 21 18:45:28 ASASFR3 SF-IMS[15070]: [15111] sftunneld:sf_ssl [INFO] Connect to 192.168.2.20 on port 8305 - eth0
Dec 21 18:45:28 ASASFR3 SF-IMS[15070]: [15111] sftunneld:sf_ssl [INFO] Initiate IPv4 connection to 192.168.2.20 (via eth0)
Dec 21 18:45:28 ASASFR3 SF-IMS[15070]: [15111] sftunneld:sf_ssl [INFO] Initiating IPv4 connection to 192.168.2.20:8305/tcp
Dec 21 18:45:28 ASASFR3 SF-IMS[15070]: [15111] sftunneld:sf_ssl [INFO] Wait to connect to 8305 (IPv6): 192.168.2.20
Dec 21 18:45:28 ASASFR3 SF-IMS[15070]: [15111] sftunneld:sf_ssl [INFO] Connected to 192.168.2.20:8305 (IPv4)
Dec 21 18:47:15 ASASFR3 SF-IMS[25616]: [25616] CloudAgent:CloudAgent [INFO] IPRep, time to check for updates
Dec 21 18:47:43 ASASFR3 SF-IMS[15070]: [15101] sftunneld:sf_ssl [INFO] Wait SSL_accept_nb: TIMEOUT TO COMPLETE
Dec 21 18:47:43 ASASFR3 SF-IMS[15070]: [15101] sftunneld:sf_ssl [ERROR] Accept:SSL handshake failed
Dec 21 18:47:43 ASASFR3 SF-IMS[15070]: [15101] sftunneld:sf_ssl [WARN] SSL Verification status: ok
Dec 21 18:47:47 ASASFR3 SF-IMS[15070]: [15077] sftunneld:tunnsockets [INFO] Accepted IPv4 connection from 192.168.2.20:49974/tcp
Dec 21 18:47:47 ASASFR3 SF-IMS[15070]: [15229] sftunneld:sf_ssl [INFO] Processing connection from 192.168.2.20:49974/tcp (socket 11)
Dec 21 18:47:58 ASASFR3 SF-IMS[15070]: [15111] sftunneld:sf_ssl [INFO] Wait SSL_connect_nb: TIMEOUT TO COMPLETE
Dec 21 18:47:58 ASASFR3 SF-IMS[15070]: [15111] sftunneld:sf_ssl [ERROR] Connect:SSL handshake failed
Dec 21 18:47:58 ASASFR3 SF-IMS[15070]: [15111] sftunneld:sf_ssl [WARN] SSL Verification status: ok
Dec 21 18:47:58 ASASFR3 SF-IMS[15070]: [15111] sftunneld:sf_ssl [INFO] reconnect to peer '192.168.2.20' in 300 seconds
Dec 21 18:48:02 ASASFR3 SF-IMS[15070]: [15078] sftunneld:sf_peers [INFO] Peer 192.168.2.20 needs a single connection
Dec 21 18:48:02 ASASFR3 SF-IMS[15070]: [15078] sftunneld:sf_connections [INFO] Start connection to : 192.168.2.20 (wait 300 seconds is up)
Dec 21 18:48:02 ASASFR3 SF-IMS[15070]: [15235] sftunneld:sf_peers [INFO] Peer 192.168.2.20 needs a single connection
Dec 21 18:48:02 ASASFR3 SF-IMS[15070]: [15235] sftunneld:sf_ssl [INFO] Connect to 192.168.2.20 on port 8305 - eth0
Dec 21 18:48:02 ASASFR3 SF-IMS[15070]: [15235] sftunneld:sf_ssl [INFO] Initiate IPv4 connection to 192.168.2.20 (via eth0)
Dec 21 18:48:02 ASASFR3 SF-IMS[15070]: [15235] sftunneld:sf_ssl [INFO] Initiating IPv4 connection to 192.168.2.20:8305/tcp
Dec 21 18:48:02 ASASFR3 SF-IMS[15070]: [15235] sftunneld:sf_ssl [INFO] Wait to connect to 8305 (IPv6): 192.168.2.20
Dec 21 18:48:02 ASASFR3 SF-IMS[15070]: [15235] sftunneld:sf_ssl [INFO] Connected to 192.168.2.20:8305 (IPv4)

From FMC:

admin@firepower:~$ tail -n 1000 /var/log/messages
Dec 21 18:45:06 firepower SF-IMS[30493]: [30493] sfmgr:sfmanager [INFO] set peer PEER_ADD to register 10.50.123.57
Dec 21 18:45:06 firepower SF-IMS[30492]: [30492] sftunneld:sftunnel [INFO] Update Peers configuration requested from a local program (message= 8105)
Dec 21 18:45:06 firepower SF-IMS[30492]: [30492] sftunneld:sf_peers [INFO] Using a 20 entry queue for 10.50.123.57 - 8104
Dec 21 18:45:06 firepower SF-IMS[30492]: [30492] sftunneld:sf_peers [INFO] Using a 20 entry queue for 10.50.123.57 - 8121
Dec 21 18:45:06 firepower SF-IMS[30492]: [30492] sftunneld:stream_file [INFO] Stream CTX initialized for 10.50.123.57
Dec 21 18:45:06 firepower SF-IMS[30492]: [30492] sftunneld:sftunnel [INFO] set peer PEER_ADD 10.50.123.57 to register
Dec 21 18:45:06 firepower SF-IMS[30492]: [30492] sftunneld:sftunnel [INFO] IPv4 is  192.168.2.20  (key '192.168.2.20') on eth0
Dec 21 18:45:06 firepower SF-IMS[30492]: [30492] sftunneld:sftunnel [INFO] Local Peer supports separate events connection
Dec 21 18:45:06 firepower SF-IMS[4410]: [4410] pm:process [INFO] HUPing sfmbservice
Dec 21 18:45:06 firepower SF-IMS[4410]: [4410] pm:process [INFO] HUPing sfipproxy
Dec 21 18:45:06 firepower SF-IMS[30494]: [30494] sfmbservice:sfmb_service [INFO] sfmbservice received SIGHUP
Dec 21 18:45:06 firepower SF-IMS[30496]: [30496] ipproxy:ipproxy [INFO] Got HUP signal, re-reading configuration
Dec 21 18:45:06 firepower SF-IMS[30492]: [30501] sftunneld:control_services [INFO] Successfully Send Interfaces info to peer 192.168.2.57 over eth0
Dec 21 18:45:06 firepower SF-IMS[30492]: [30501] sftunneld:sf_heartbeat [INFO] Saved SW VERSION from peer 192.168.2.57 (6.2.3)
Dec 21 18:45:07 firepower SF-IMS[30492]: [30498] sftunneld:tunnsockets [INFO] Started listening on port 8305 IPv4(192.168.2.20) eth0
Dec 21 18:45:12 firepower SF-IMS[30492]: [30499] sftunneld:sf_peers [INFO] Peer 10.50.123.57 needs a single connection
Dec 21 18:45:12 firepower SF-IMS[30492]: [30499] sftunneld:sf_connections [INFO] Start connection to : 10.50.123.57 (wait 0 seconds is up)
Dec 21 18:45:12 firepower SF-IMS[30492]: [916] sftunneld:sf_peers [INFO] Peer 10.50.123.57 needs a single connection
Dec 21 18:45:12 firepower SF-IMS[30492]: [916] sftunneld:sf_ssl [INFO] Connect to 10.50.123.57 on port 8305 - eth0
Dec 21 18:45:12 firepower SF-IMS[30492]: [916] sftunneld:sf_ssl [INFO] Initiate IPv4 connection to 10.50.123.57 (via eth0)
Dec 21 18:45:12 firepower SF-IMS[30492]: [916] sftunneld:sf_ssl [INFO] Initiating IPv4 connection to 10.50.123.57:8305/tcp
Dec 21 18:45:12 firepower SF-IMS[30492]: [916] sftunneld:sf_ssl [INFO] Wait to connect to 8305 (IPv6): 10.50.123.57
Dec 21 18:45:13 firepower SF-IMS[30492]: [916] sftunneld:sf_ssl [INFO] Connected to 10.50.123.57:8305 (IPv4)
Dec 21 18:45:17 firepower SF-IMS[30492]: [30500] sftunneld:control_services [INFO] Successfully Send Interfaces info to peer 192.168.2.58 over eth0
Dec 21 18:45:17 firepower SF-IMS[30492]: [30500] sftunneld:sf_heartbeat [INFO] Saved SW VERSION from peer 192.168.2.58 (6.2.3)
Dec 21 18:45:28 firepower SF-IMS[30492]: [30498] sftunneld:tunnsockets [INFO] Accepted IPv4 connection from 10.50.123.57:50367/tcp
Dec 21 18:45:28 firepower SF-IMS[30492]: [1027] sftunneld:sf_ssl [INFO] Processing connection from 10.50.123.57:50367/tcp (socket 35)
Dec 21 18:46:00 firepower SF-IMS[4410]: [4410] pm:process [INFO] Started store_whitelist_history (1094)
Dec 21 18:46:00 firepower SF-IMS[4410]: [4410] pm:log [INFO] Process 'store_whitelist_history' closed output.
Dec 21 18:46:12 firepower SF-IMS[4823]: [4823] CloudAgent:CloudAgent [INFO] IPRep, time to check for updates
Dec 21 18:46:12 firepower SF-IMS[4823]: [4840] CloudAgent:IPReputation [INFO] The curl option for ip  verify_peer=1  verifyhost=0 
Dec 21 18:46:12 firepower SF-IMS[4823]: [4840] CloudAgent:IPReputation [INFO] The curl option for dns verifypeer=1    verifyhost=0
Dec 21 18:46:31 firepower Someone connected to me, receiving data...
Dec 21 18:46:31 firepower sla_worker : sizeof(msg) : 8192
Dec 21 18:46:31 firepower before recv(), total_bytes_read = 0, hdr_len = 8
Dec 21 18:46:31 firepower before recv(), total_bytes_read = 8, msg_len = 10
Dec 21 18:46:31 firepower process_msg : Received IPC message type : 12
Dec 21 18:46:31 firepower Response being sent to SAM : �
Dec 21 18:46:31 firepower , len(msg being sent) = 2575
Dec 21 18:46:31 firepower sla_worker : sizeof(msg) : 8192
Dec 21 18:46:31 firepower before recv(), total_bytes_read = 0, hdr_len = 8
Dec 21 18:46:31 firepower Connection closed...
Dec 21 18:46:31 firepower Waiting for someone to connect to me...
Dec 21 18:47:05 firepower SF-IMS[5471]: [5842] SFDataCorrelator:Correlator [INFO] Purging 1 expired IP hosts (query time: 0.003 sec.)
Dec 21 18:47:08 firepower SF-IMS[30493]: [30516] sfmgr:sfmanager [INFO] Received Broadcast message route_size=132
Dec 21 18:47:09 firepower SF-IMS[30493]: [30518] sfmgr:sfmanager [INFO] Received Broadcast message route_size=132
Dec 21 18:47:43 firepower SF-IMS[30492]: [916] sftunneld:sf_ssl [INFO] Wait SSL_connect_nb: TIMEOUT TO COMPLETE
Dec 21 18:47:43 firepower SF-IMS[30492]: [916] sftunneld:sf_ssl [ERROR] Connect:SSL handshake failed
Dec 21 18:47:43 firepower SF-IMS[30492]: [916] sftunneld:sf_ssl [WARN] SSL Verification status: ok
Dec 21 18:47:43 firepower SF-IMS[30492]: [916] sftunneld:sf_ssl [INFO] reconnect to peer '10.50.123.57' in 0 seconds
Dec 21 18:47:46 firepower SF-IMS[30492]: [30499] sftunneld:sf_peers [INFO] Peer 10.50.123.57 needs a single connection
Dec 21 18:47:46 firepower SF-IMS[30492]: [30499] sftunneld:sf_connections [INFO] Start connection to : 10.50.123.57 (wait 0 seconds is up)
Dec 21 18:47:46 firepower SF-IMS[30492]: [1478] sftunneld:sf_peers [INFO] Peer 10.50.123.57 needs a single connection
Dec 21 18:47:46 firepower SF-IMS[30492]: [1478] sftunneld:sf_ssl [INFO] Connect to 10.50.123.57 on port 8305 - eth0
Dec 21 18:47:46 firepower SF-IMS[30492]: [1478] sftunneld:sf_ssl [INFO] Initiate IPv4 connection to 10.50.123.57 (via eth0)
Dec 21 18:47:46 firepower SF-IMS[30492]: [1478] sftunneld:sf_ssl [INFO] Initiating IPv4 connection to 10.50.123.57:8305/tcp
Dec 21 18:47:46 firepower SF-IMS[30492]: [1478] sftunneld:sf_ssl [INFO] Wait to connect to 8305 (IPv6): 10.50.123.57
Dec 21 18:47:47 firepower SF-IMS[30492]: [1478] sftunneld:sf_ssl [INFO] Connected to 10.50.123.57:8305 (IPv4)
Dec 21 18:47:58 firepower SF-IMS[30492]: [1027] sftunneld:sf_ssl [INFO] Wait SSL_accept_nb: TIMEOUT TO COMPLETE
Dec 21 18:47:58 firepower SF-IMS[30492]: [1027] sftunneld:sf_ssl [ERROR] Accept:SSL handshake failed
Dec 21 18:47:58 firepower SF-IMS[30492]: [1027] sftunneld:sf_ssl [WARN] SSL Verification status: ok
Dec 21 18:48:02 firepower SF-IMS[30493]: [30493] sfmgr:sfmanager [INFO] Process received SIGHUP
Dec 21 18:48:02 firepower SF-IMS[30492]: [30498] sftunneld:tunnsockets [INFO] Accepted IPv4 connection from 10.50.123.57:35903/tcp
Dec 21 18:48:02 firepower SF-IMS[30492]: [1500] sftunneld:sf_ssl [INFO] Processing connection from 10.50.123.57:35903/tcp (socket 35)
Dec 21 18:48:06 firepower sudo:      www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chown www:www /var/sf/run/devcap.lock
Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session closed for user root
Dec 21 18:48:06 firepower sudo:      www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/cp /etc/sf/device_cap.conf /etc/sf/.device_cap.conf
Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session closed for user root
Dec 21 18:48:06 firepower sudo:      www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chmod 0664 /var/tmp/device_cap.conf
Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session closed for user root
Dec 21 18:48:06 firepower sudo:      www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chown www:www /var/tmp/device_cap.conf
Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session closed for user root
Dec 21 18:48:06 firepower sudo:      www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chmod 0664 /etc/sf/device_cap.conf
Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session closed for user root
Dec 21 18:48:06 firepower sudo:      www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chown www:www /etc/sf/device_cap.conf
Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session closed for user root
Dec 21 18:48:06 firepower sudo:      www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chown www:www /var/sf/run/devcap.lock
Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session closed for user root
Dec 21 18:48:06 firepower sudo:      www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/cp /etc/sf/device_cap.conf /etc/sf/.device_cap.conf
Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session closed for user root
Dec 21 18:48:06 firepower sudo:      www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chmod 0664 /var/tmp/device_cap.conf
Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session closed for user root
Dec 21 18:48:06 firepower sudo:      www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chown www:www /var/tmp/device_cap.conf
Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session closed for user root
Dec 21 18:48:06 firepower sudo:      www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chmod 0664 /etc/sf/device_cap.conf
Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session closed for user root
Dec 21 18:48:06 firepower sudo:      www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chown www:www /etc/sf/device_cap.conf
Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session closed for user root
Dec 21 18:48:06 firepower sudo:      www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chown www:www /var/sf/run/devcap.lock
Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session closed for user root
Dec 21 18:48:06 firepower sudo:      www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/cp /etc/sf/device_cap.conf /etc/sf/.device_cap.conf
Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session closed for user root
Dec 21 18:48:06 firepower sudo:      www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chmod 0664 /var/tmp/device_cap.conf
Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session closed for user root
Dec 21 18:48:07 firepower sudo:      www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chown www:www /var/tmp/device_cap.conf
Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session closed for user root
Dec 21 18:48:07 firepower sudo:      www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chmod 0664 /etc/sf/device_cap.conf
Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session closed for user root
Dec 21 18:48:07 firepower sudo:      www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chown www:www /etc/sf/device_cap.conf
Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session closed for user root
Dec 21 18:48:07 firepower sudo:      www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/kill -s USR1 5440
Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session closed for user root
Dec 21 18:48:07 firepower sudo:      www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chmod 0664 /var/sf/run/sftunnel.lock
Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session closed for user root
Dec 21 18:48:07 firepower sudo:      www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chown www:www /var/sf/run/sftunnel.lock
Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session closed for user root
Dec 21 18:48:07 firepower SF-IMS[4410]: [4410] pm:process [INFO] Locking SFDataCorrelator
Dec 21 18:48:07 firepower SF-IMS[5471]: [1565] SFDataCorrelator:ControlHandler [INFO] Handling control connection from sudo_user '', cmd '/usr/bin/perl /usr/local/sf/bin/ActionQueueScrape.pl', pid 1560 (uid 0, gid 0)
Dec 21 18:48:07 firepower SF-IMS[5471]: [1565] SFDataCorrelator:DCEControl [INFO] DCEControlMessageReconfigure
Dec 21 18:48:07 firepower SF-IMS[5471]: [1565] SFDataCorrelator:Correlator [INFO] Initialize Host limit to 50000
Dec 21 18:48:07 firepower SF-IMS[5471]: [1565] SFDataCorrelator:Correlator [INFO] Host limit set to 50000
Dec 21 18:48:07 firepower SF-IMS[5471]: [1565] SFDataCorrelator:Correlator [INFO] Initialize User limit to 50000
Dec 21 18:48:07 firepower SF-IMS[5471]: [1565] SFDataCorrelator:Correlator [INFO] User limit set to 50000
Dec 21 18:48:07 firepower SF-IMS[5471]: [1565] SFDataCorrelator:Correlator [INFO] Event Rate Limit set to 5000
Dec 21 18:48:07 firepower SF-IMS[5471]: [1565] SFDataCorrelator:DCEControl [INFO] Pausing Event handlers
Dec 21 18:48:07 firepower SF-IMS[5471]: [1565] SFDataCorrelator:Correlator [INFO] DomainControl: Initialized 1 domains including 1 netmaps
Dec 21 18:48:07 firepower sudo:      www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chmod 0664 /var/sf/run/sftunnel.lock
Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session closed for user root
Dec 21 18:48:07 firepower sudo:      www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chown www:www /var/sf/run/sftunnel.lock
Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session closed for user root
Dec 21 18:48:07 firepower sudo:      www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/cp /etc/sf/sftunnel.conf /etc/sf/.sftunnel.conf
Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session closed for user root
Dec 21 18:48:07 firepower sudo:      www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/local/sf/bin/iftool
Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session closed for user root
Dec 21 18:48:07 firepower sudo:      www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chmod 0664 /var/tmp/sftunnel.conf
Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session closed for user root
Dec 21 18:48:07 firepower sudo:      www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chown www:www /var/tmp/sftunnel.conf
Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session closed for user root
Dec 21 18:48:07 firepower SF-IMS[30493]: [30493] sfmgr:sfmanager [INFO] set peer PEER_REMOVED pending 10.50.123.57
Dec 21 18:48:07 firepower SF-IMS[30493]: [30493] sfmgr:sfmanager [INFO] free_peer 10.50.123.57.
Dec 21 18:48:07 firepower SF-IMS[30492]: [30492] sftunneld:sftunnel [INFO] Update Peers configuration requested from a local program (message= 8105)
Dec 21 18:48:07 firepower SF-IMS[30492]: [30492] sftunneld:sftunnel [INFO] set peer PEER_REMOVED 10.50.123.57 pending
Dec 21 18:48:07 firepower SF-IMS[30492]: [30492] sftunneld:sf_peers [INFO] Free not connected peer 10.50.123.57
Dec 21 18:48:07 firepower SF-IMS[30492]: [30492] sftunneld:sf_peers [INFO] Free peer 10.50.123.57 
Dec 21 18:48:07 firepower SF-IMS[30492]: [30492] sftunneld:sf_channel [INFO] >> ChannelState free_peer peer 10.50.123.57 / channelA / NONE [ msgSock & ssl_context ] <<
Dec 21 18:48:07 firepower SF-IMS[30492]: [30492] sftunneld:sf_channel [INFO] >> ChannelState free_peer peer 10.50.123.57 / channelB / NONE [ msgSock & ssl_context ] <<
Dec 21 18:48:07 firepower SF-IMS[30492]: [30492] sftunneld:stream_file [INFO] Stream CTX destroyed for 10.50.123.57
Dec 21 18:48:07 firepower SF-IMS[30492]: [30492] sftunneld:sf_peers [INFO] Free peer 10.50.123.57 on exit
Dec 21 18:48:07 firepower SF-IMS[30492]: [30492] sftunneld:stream_file [INFO] Stream CTX destroyed for 10.50.123.57
Dec 21 18:48:07 firepower SF-IMS[30492]: [30492] sftunneld:sftunnel [INFO] IPv4 is  192.168.2.20  (key '192.168.2.20') on eth0
Dec 21 18:48:07 firepower SF-IMS[30492]: [30492] sftunneld:sftunnel [INFO] Local Peer supports separate events connection
Dec 21 18:48:07 firepower SF-IMS[4410]: [4410] pm:process [INFO] HUPing sfmbservice
Dec 21 18:48:07 firepower SF-IMS[4410]: [4410] pm:process [INFO] HUPing sfipproxy

Re: Cannot Register SFR Module to FMC

Sheraz.Salim — Sat, 22 Dec 2018 22:17:16 GMT

came across to this link might be helpful for you

https://www.grandmetric.com/2018/04/23/troubleshoot-fmc-firepower-sensor-communication/

however, could you try to uninstall the SFR in ASA and re-install a fresh copy might it mix the issue. as i have search for this error no sucess.

sf_ssl [ERROR] Connect:SSL handshake failed

seem like could be some cipher issue between the FMC and SFR not agreeing on.

or if you have a cisco TAC open a case with cisco.

Re: Cannot Register SFR Module to FMC

Matthew Martin — Mon, 07 Jan 2019 17:51:37 GMT

Sorry for the delay. With the Holidays I was out of the office for a while and then there was an issue with the SSD. After I uninstalled the sfr module and then tried to re-install, there were a bunch of read/write I/O errors showing on the ASA. So I reloaded the ASA and after it came back up, it was no longer even recognizing the ASA was attached.

So I was finally able to get someone in that location to remove and re-seat the SSD Drive and it was recognized again. So I then re-installed SFR and attempted to add the SFR module/sensor to the FMC and I am still getting the same results.

The one thing that really sticks out is the "Connect:SSL handshake failed" error message shown below, even though at one point in the log it says connection successful...

Jan  7 17:23:35 ASASFR3 SF-IMS[32353]: [32408] sftunneld:sf_ssl [INFO] Connect to 192.168.2.20 on port 8305 - eth0
Jan  7 17:23:35 ASASFR3 SF-IMS[32353]: [32408] sftunneld:sf_ssl [INFO] Initiate IPv4 connection to 192.168.2.20 (via eth0)
Jan  7 17:23:35 ASASFR3 SF-IMS[32353]: [32408] sftunneld:sf_ssl [INFO] Initiating IPv4 connection to 192.168.2.20:8305/tcp
Jan  7 17:23:35 ASASFR3 SF-IMS[32353]: [32408] sftunneld:sf_ssl [INFO] Wait to connect to 8305 (IPv6): 192.168.2.20
Jan  7 17:23:36 ASASFR3 SF-IMS[32353]: [32408] sftunneld:sf_ssl [INFO] Connected to 192.168.2.20:8305 (IPv4)
Jan  7 17:26:05 ASASFR3 SF-IMS[32353]: [32407] sftunneld:sf_ssl [INFO] Wait SSL_accept_nb: TIMEOUT TO COMPLETE
Jan  7 17:26:05 ASASFR3 SF-IMS[32353]: [32407] sftunneld:sf_ssl [ERROR] Accept:SSL handshake failed
Jan  7 17:26:05 ASASFR3 SF-IMS[32353]: [32407] sftunneld:sf_ssl [WARN] SSL Verification status: ok
Jan  7 17:26:06 ASASFR3 SF-IMS[32353]: [32408] sftunneld:sf_ssl [INFO] Wait SSL_connect_nb: TIMEOUT TO COMPLETE
Jan  7 17:26:06 ASASFR3 SF-IMS[32353]: [32408] sftunneld:sf_ssl [ERROR] Connect:SSL handshake failed
Jan  7 17:26:06 ASASFR3 SF-IMS[32353]: [32408] sftunneld:sf_ssl [WARN] SSL Verification status: ok
Jan  7 17:26:06 ASASFR3 SF-IMS[32353]: [32408] sftunneld:sf_ssl [INFO] reconnect to peer '192.168.2.20' in 300 seconds

From my laptop, I am able to run the command "telnet <sfr-ip-address> 8305" and it appears to connect just fine. But, I get a connection refused when trying the telnet command to the FMC. Is 8305 only used on the sensor?

> telnet 192.168.2.20 8305
Trying 192.168.2.20...
telnet: connect to address 192.168.2.20: Connection refused

Any thoughts would be greatly appreciated!

-Matt

Re: Cannot Register SFR Module to FMC

Sheraz.Salim — Mon, 07 Jan 2019 17:56:27 GMT

Well its seem like its refusing the connect. your best bet is open a TAC case if you have a contract.

Re: Cannot Register SFR Module to FMC

noufal.cdlm@gmail.com — Tue, 08 Jan 2019 06:01:50 GMT

Reimage SFR after re added to config-manger it will work

Re: Cannot Register SFR Module to FMC

Sheraz.Salim — Tue, 08 Jan 2019 16:58:56 GMT

It could be your hard disk is faulty. As sound reading your description of the struggle with sfr.

Re: Cannot Register SFR Module to FMC

Matthew Martin — Wed, 16 Jan 2019 17:00:35 GMT

Sorry, I thought I had replied to this thread already. Guess not...

I was able to re-image the SFR module on the SSD after getting the SSD re-seated in the ASA. But, I am still having the same issue with the logs showing SSL Handshake error. The strange thing is, according to the netstat command they are showing an Established connection on both ends.

-Matt

Re: Cannot Register SFR Module to FMC

Sheraz.Salim — Wed, 16 Jan 2019 17:12:13 GMT

were you not able to open a TAC case?

Re: Cannot Register SFR Module to FMC

Matthew Martin — Wed, 16 Jan 2019 17:46:43 GMT

I did. Basically, he just did a ping from the sfr to firepower with a large byte size and it showed packet loss so he concluded it was a networking issue.

But, I'm not really sure why this would cause an SSL handshake error...

-Matt

Re: Cannot Register SFR Module to FMC

Sheraz.Salim — Wed, 16 Jan 2019 17:50:20 GMT

strange. TAC should pick it up. or could be a junior engineer. just curious if you not explain him the issue?

Re: Cannot Register SFR Module to FMC

Matthew Martin — Wed, 16 Jan 2019 18:02:24 GMT

Yea, we've been back and forth with email for a little while now and we had a WebEx session where he did the ping tests.

He had also said that in their Database, a similar issue was fixed by adjusting the MTU of the SFR's eth0 to 1300. But, that didn't seem to help any in our case.

We have a 100 Mbps pipe between our HQ where FIrepower VM is located and where the SFR module is located, so there aren't any Bandwidth issues or anything like that (*I checked ISP's reporting of bandwidth usage and that all seems good). We also have a packetshaper between the locations, but that doesn't appear to be limiting the byte transfer or anything along those lines.

So I'm kind of at a loss for what the problem is... He did suggest spinning up a Firepower VM that is local to that SFR module, but we are in our busy season and my manager who handles that stuff is a bit swamped. Plus, I would assume there would be licensing that would get in the way...?

Thanks Again for your replies, much appreciated.

-Matt

Re: Cannot Register SFR Module to FMC

Sheraz.Salim — Wed, 16 Jan 2019 21:35:33 GMT

He did suggest spinning up a Firepower VM that is local to that SFR module, but we are in our busy season and my manager who handles that stuff is a bit swamped. Plus, I would assume there would be licensing that would get in the way...?

okay. in that case yes this is possible. ASA SFR come with traditional lic and you can rehost the problematic SFR to new FMC. but best if to check cisco lic team. I have my ASA SFR with VM FMC running. many time happens doing testing i break up my FMC. so what i do is i re-host my ASA on new FMC (i spin a new vFMC) and rehost my lic on it.

hope this find you any help.

Re: Cannot Register SFR Module to FMC

Matthew Martin — Tue, 22 Jan 2019 19:11:39 GMT

So I have some new information.

I decided to try and do the pings again using the high byte count that caused the packet loss between the SFR Module and the FMC. But, instead of pinging the FMC address, I pinged some other VMs that are located on the exact same ESXi server (*over the same physical hardware: wire, interface, etc...) and that are on the same Vlan as the FMC. Doing these pings, with the same ping command, I experienced no packet loss at all.

I then hoped onto one of these VMs, and did the ping command with the same high byte count, and pinged the SFR module and experienced no packet loss here either.

So, it appears that the issue lies somewhere with the FMC virtual machine itself. Would you agree?

-Matt