topic registering FTDv Azure to FMC on-prem in Network Security

registering FTDv Azure to FMC on-prem

mateens — Fri, 06 Aug 2021 13:44:58 GMT

Hei,

I am trying to register FTDv in Azure to FMC on-prem over express route. I am getting error " "Discovery failed due to internal error contact TAC". I also see communication established messages.

Used same configure manager add IP key nat-id on both sides...

@Marvin Rhoads any tips ?

Re: registering FTDv Azure to FMC on-prem

Marvin Rhoads — Fri, 06 Aug 2021 19:51:58 GMT

Can you confirm that you have bidirectional communication (must be able to initiate from either end) over tcp/8305?

Re: registering FTDv Azure to FMC on-prem

Chakshu Piplani — Fri, 06 Aug 2021 22:28:51 GMT

Hi,

Can you try by creating a new policy while registering the device and chose default action as "intrusion prevention", I have seen this happening when the default action is selected to be "Network Discovery".

Regards,

Chakshu

Do rate helpful posts!

Re: registering FTDv Azure to FMC on-prem

mateens — Sat, 07 Aug 2021 07:12:13 GMT

I can ping both ways and the ports are open. I see communication established notification in FMC. sftunnel status shows output on FTD with FMCs hostname looks like it established connection with FMC. any other way to verify ?

Re: registering FTDv Azure to FMC on-prem

mateens — Sat, 07 Aug 2021 07:14:53 GMT

I tried changing the acp's default action to intrusion prevention max detection. any other tip ?

Re: registering FTDv Azure to FMC on-prem

Mohammed al Baqari — Sat, 07 Aug 2021 17:19:29 GMT

Hi,

>From FMC CLI go to expert mode and run this command:

pigtail -f var/logs/messages

This will help you to see whats happening during registration.

**** please remember to rate useful

Re: registering FTDv Azure to FMC on-prem

mateens — Sat, 07 Aug 2021 23:41:30 GMT

i see no log messages on fmc with that command, just says displaying.

in fmc i see following notifications:

-registration started

-registration communication established

-FTDv discovery from the device in progress ( many messages and it takes almost 30 min)

-unregistration unable to get status message.

on FTD i see

-pending

-show managers "registration :completed"

-no managers when fmc finishes unregistration.

Re: registering FTDv Azure to FMC on-prem

Mohammed al Baqari — Sun, 08 Aug 2021 00:34:29 GMT

That doesn't make sense. Are you sure the FMC IP is correct?

**** please remember to rate useful posts

Re: registering FTDv Azure to FMC on-prem

mateens — Mon, 09 Aug 2021 08:27:10 GMT

Yes, show managers command on ftd shows the ip of the fmc and registration completed.

but after about 30min on Discovery from the device is in progress, FMC unregisters the FTD and says unable to get status message

Re: registering FTDv Azure to FMC on-prem

mateens — Tue, 10 Aug 2021 07:14:54 GMT

Re: registering FTDv Azure to FMC on-prem

mateens — Mon, 09 Aug 2021 12:59:02 GMT

I digged some log messages from the devices. What is the role og SSL during registration ?

fw01:
-------
fw01: Built inbound TCP connection for Azure_FMC:172.30.7.1/52255 to LNK:10.240.1.6/8305
fw01: Built inbound TCP connection for LNK:10.240.1.6/52451 to Azure_FMC:172.30.7.1/8305

---------------
logs from FMC:

Aug 9 10:01:55 fmc01 SF-IMS[28415]: [14152] sftunneld:sf_connections [INFO] DISCONNECTED:do_services_read_write: Broken connection to service 9009 (FD 10), peer 10.240.1.6
Aug 9 10:01:55 fmc01 SF-IMS[28415]: [14152] sftunneld:sf_peers [INFO] Confirm RPC service in CONTROL channel
Aug 9 10:01:55 fmc01 SF-IMS[28415]: [14152] sftunneld:sf_connections [INFO] Accepting a service connection..
Aug 9 10:01:55 fmc01 SF-IMS[28415]: [14152] sftunneld:sf_heartbeat [INFO] CSM_CCM service is published for peer 10.240.1.6
Aug 9 10:01:55 fmc01 SF-IMS[28415]: [14152] sftunneld:sf_peers [INFO] Using a 750 entry queue for 10.240.1.6 - 9009
Aug 9 10:01:55 fmc01 SF-IMS[28415]: [14152] sftunneld:sf_channel [INFO] Peer 10.240.1.6. SWITCH SERVICE 9009 CHANNEL 2
Aug 9 10:01:56 fmc01 stunnel: LOG3[24057]: SSL_connect: 14090086: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Aug 9 10:02:30 fmc01 SF-IMS[7541]: [7541] pm:process [INFO] Started RUAScheduledDownload (24189)

-------------------

Logs from FTD:

Aug 9 10:04:15 ftd01 SF-IMS[16639]: [17150] sftunneld:sf_heartbeat [INFO] Received message for not published CSM_CCM service for peer 172.30.7.1
Aug 9 10:05:09 ftd01 syslog-ng[1549]: Connection failed; fd='18', server='AF_UNIX(/dev/asalog)', local='AF_UNIX(anonymous)', error='No such file or directory (2)'
Aug 9 10:05:09 ftd01 syslog-ng[1549]: Initiating connection failed, reconnecting; time_reopen='60'
Aug 9 10:06:09 ftd01 syslog-ng[1549]: Connection failed; fd='17', server='AF_UNIX(/dev/asalog)', local='AF_UNIX(anonymous)', error='No such file or directory (2)'
Aug 9 10:06:09 ftd01 syslog-ng[1549]: Initiating connection failed, reconnecting; time_reopen='60'

Re: registering FTDv Azure to FMC on-prem

mateens — Mon, 09 Aug 2021 13:05:42 GMT

error Looks like this bug CSCvg62301.

Re: registering FTDv Azure to FMC on-prem

mateens — Tue, 10 Aug 2021 07:14:27 GMT

Re: registering FTDv Azure to FMC on-prem

mateens — Fri, 13 Aug 2021 13:59:02 GMT

What does this log mean ?

on FTD i see:

ACTQ: 08-13 13:45:27 pid=15605 Remote heartbeat task processing failed on 172.30.7.1: Appliance is set to ignore, ignore heartbeat from 4eb60038-c462-11eb-a04d-m3017b472bc8 at /ngfwPERLLIB/SF/Synchronize/VerticalSync.pm line 462.
SERR: 08-13 13:45:27 ActionQueueScrape[3300]: Remote heartbeat task processing failed on 172.30.7.1: Appliance is set to ignore, ignore heartbeat from eb60038-c462-11eb-a04d-m3017b472bc8 at /ngfwPERLLIB/SF/Synchronize/VerticalSync.pm line 462.

on FMC i see:

SERR: 08-13 13:37:08 ActionQueueScrape[27936]: REMOTE WARNING FROM '10.240.1.6': Platform_info file not present.
USMS: 08-13 13:37:08 "hostName": "10.240.1.6",
USMS: 08-13 13:37:08 "mgmtIpAddress": "10.240.1.6",
ACTQ: 08-13 13:37:08 pid=10302 Applying Custom FP remotely to 10.240.1.6 at PERLLIB/SF/RNA/CustomFP.pm line 1803.
ACTQ: 08-13 13:37:08 pid=8270 'displayName' => '10.240.1.6'
USMS: 08-13 13:37:08 "hostName": "10.240.1.6",
USMS: 08-13 13:37:08 "mgmtIpAddress": "10.240.1.6",
SERR: 08-13 13:37:08 ActionQueueScrape[27936]: Applying Custom FP remotely to 10.240.1.6 at PERLLIB/SF/RNA/CustomFP.pm line 1803.
SERR: 08-13 13:37:08 ActionQueueScrape[27936]: 'displayName' => '10.240.1.6'
SERR: 08-13 13:37:08 ActionQueueScrape[27936]: END TASK || 4c4bba94-fc4b-11eb-ac6f-87cd8c764v65 || Registration || Communication with 10.240.1.6 has been established, discovery in progress || 138

Re: registering FTDv Azure to FMC on-prem

mateens — Fri, 20 Aug 2021 07:33:05 GMT

Problem was actually at the Azure end. It worked after I added fourth interface to the FTDv VM in azure (i had 3) and did Detach and attach on the all the interfaces.