topic Re: Unable to remove the management interface from the logical device on the Cisco Firepower Chassis Manager in Network Security

Unable to remove the management interface from the logical device on the Cisco Firepower Chassis Manager

domevam — Mon, 19 Apr 2021 09:47:39 GMT

Hi all

I tried to remove interface management from logical device because I'm not use anymore, but it's not possible. If you try to change type for interface from fxos (/ssa/slot/app-instance* # clear-mgmt-bootstrap), it failed : Error: Update failed: [The interface type cannot be changed while the interface is in use. Remove the interface from the Logical Device before you attempt to change the type.]

I had to delete the logical device, change the interface type and re-create the logical device from scratch.

Anyone have suggest for it?

thanks

Domenico

Re: Unable to remove the management interface from the logical device on the Cisco Firepower Chassis Manager

Marius Gunnerud — Mon, 19 Apr 2021 09:57:05 GMT

I assume you have done this, but just to check, have you removed all configuration that references the mgmt interface? If you have, then I assume the issue is because the management interface is not only used for management interface but also for diagnostic interface.

Re: Unable to remove the management interface from the logical device on the Cisco Firepower Chassis Manager

domevam — Mon, 19 Apr 2021 16:01:08 GMT

Interface was configured only as management and not for diagnostic usage. Once it is configured as management, it is impossible to change its type and disassociate it from the logical device.

Re: Unable to remove the management interface from the logical device on the Cisco Firepower Chassis Manager

Marius Gunnerud — Mon, 19 Apr 2021 17:14:11 GMT

The management 0/0 interface has two separate interfaces associated with it. So since the diagnostic interface is also associated with the interface it is logical that you will not be able to delete the management interface without having to rebuild it.

Here is a solution from Cisco documentation that you might try next time.

from https://www.cisco.com/c/en/us/td/docs/security/firepower/640/fdm/fptd-fdm-config-guide-640/fptd-fdm-interfaces.html#concept_EB3DE1BBDB9547EC8866365C7BC11792

(Hardware devices.) One way to configure Management/Diagnostic is to not wire the physical port to a network. Instead, configure the Management IP address only, and configure it to use the data interfaces as the gateway for obtaining updates from the internet. Then, open the inside interfaces to HTTPS/SSH traffic (by default, HTTPS is enabled) and open Firepower Device Manager using the inside IP address (see Configuring the Management Access List).

Re: Unable to remove the management interface from the logical device on the Cisco Firepower Chassis Manager

domevam — Wed, 21 Apr 2021 08:35:39 GMT

Hi,

my depolyment not involve FTD but ASA in platform mode. So there is no way to disassociate management interface from logical device, that's all or you have a solution for that, without remove all logical device??

thamks for support.

Re: Unable to remove the management interface from the logical device on the Cisco Firepower Chassis Manager

Marvin Rhoads — Wed, 21 Apr 2021 17:42:35 GMT

As far as I know, when you are operating an ASA in platform mode on a Firepower appliance it is required to allocate a physical management interface to it.