topic Re: Unable to add FTD into FMC in Network Security

Unable to add FTD into FMC

BmfL — Fri, 19 Nov 2021 13:56:06 GMT

Hello,

I am currently unable to add FTD into FMC, each attempt it comes out with error message host x.x.x.x is not reachable.

- FMC in Europe, FTD in China.

- The FMC ping successfully FTD and vice versa.

- I did configure network management-data-interface.

- Devices not behind NAT so this setting was skipped.

- The FMC has other FTD running without any issues.

> show managers
Host : x.x.x.x
Registration Key : ****
Registration : pending
RPC Status :
Type : Manager
Host : x.x.x.x
Registration : Pending

> sftunnel-status

SFTUNNEL Start Time: Fri Nov 19 07:59:07 2021

Both IPv4 and IPv6 connectivity is supported
Broadcast count = 0
Reserved SSL connections: 0
Management Interfaces: 2
br1 (control events) x.x.x.x,

Re: Unable to add FTD into FMC

balaji.bandi — Fri, 19 Nov 2021 14:06:43 GMT

ping is not good enough, if FMC behind FW you need make sure the ports are opened between FTD and FMC

https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Security__Internet_Access__and_Communication_Ports.html

Re: Unable to add FTD into FMC

BmfL — Fri, 19 Nov 2021 14:09:17 GMT

SFtunnel port 8305 is open. From documentation that should be the one opened.

Re: Unable to add FTD into FMC

Marvin Rhoads — Fri, 19 Nov 2021 14:50:00 GMT

Can you telnet using tcp 8305 in both directions? Both the FMC and managed device need to be able to initiate traffic.

Note China may be blocking the traffic. You can do a packet capture on your FMC to check if the incoming attempts are reaching it. Just use tcpdump from expert mode cli as root user and filter on the FTD host address in the capture.

Re: Unable to add FTD into FMC

BmfL — Fri, 19 Nov 2021 15:24:10 GMT

ftd-1 SF-IMS[8257]: SF-RPC:RemoteRun [CRITICAL] Unauthorized RPC call:SF::PeerManager::getPeerInfoLocal from fmc.net role:nobody%0A
ftd-1 SF-IMS[24319]: [8256] sfmgr:rexecchild [INFO] Before setting the value to 2, patience = 9
ftd-1 SF-IMS[8313]: SF-RPC:RemoteRun [CRITICAL] Unauthorized RPC call:SF::PeerManager::getPeerInfoLocal from fmc.net role:nobody%0A
ftd-1 SF-IMS[24319]: [8312] sfmgr:rexecchild [INFO] Before setting the value to 2, patience = 9
ftd-1 SF-IMS[25430]: [25430] sfifd:sfifd [INFO] Default IPv4 gateway for 'br1' not configured.
ftd-1 SF-IMS[25430]: [25430] sfifd:sfifd [INFO] Adding default IPv4 gateway '1.1.1.1' for 'br1'.
ftd-1 SF-IMS[25430]: [25430] sfifd:sfifd [WARN] Command '/sbin/ip route add default via 1.1.1.1 dev br1' returned 512.
ftd-1 sudo:root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/pgrep -x snort
ftd-1 sudo:root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/pgrep -x sfhassd
ftd-1 SF-IMS[24318]: [24318] sftunneld:SYNC_PROC [INFO] Change in directory /ngfw/var/sf/sync detected (0 vs 1637287229)
ftd-1 SF-IMS[8502]: SF-RPC:RemoteRun [CRITICAL] Unauthorized RPC call:SF::PeerManager::getPeerInfoLocal from fmc.net role:nobody%0A
ftd-1 SF-IMS[24319]: [8501] sfmgr:rexecchild [INFO] Before setting the value to 2, patience = 9
ftd-1 SF-IMS[8544]: SF-RPC:RemoteRun [CRITICAL] Unauthorized RPC call:SF::PeerManager::getPeerInfoLocal from fmc.net role:nobody%0A
ftd-1 SF-IMS[24319]: [8543] sfmgr:rexecchild [INFO] Before setting the value to 2, patience = 9

Re: Unable to add FTD into FMC

BmfL — Fri, 19 Nov 2021 15:36:06 GMT

ftd-1 SF-IMS[8257]: SF-RPC:RemoteRun [CRITICAL] Unauthorized RPC call:SF::PeerManager::getPeerInfoLocal from fmc.net role:nobody%0A
ftd-1 SF-IMS[24319]: [8256] sfmgr:rexecchild [INFO] Before setting the value to 2, patience = 9
ftd-1 SF-IMS[8313]: SF-RPC:RemoteRun [CRITICAL] Unauthorized RPC call:SF::PeerManager::getPeerInfoLocal from fmc.net role:nobody%0A
ftd-1 SF-IMS[25430]: [25430] sfifd:sfifd [INFO] Default IPv4 gateway for 'br1' not configured.
ftd-1 SF-IMS[25430]: [25430] sfifd:sfifd [INFO] Adding default IPv4 gateway '1.1.1.1' for 'br1'.
ftd-1 SF-IMS[25430]: [25430] sfifd:sfifd [WARN] Command '/sbin/ip route add default via 1.1.1.1 dev br1' returned 512.
ftd-1 sudo:root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/pgrep -x snort
ftd-1 sudo:root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/pgrep -x sfhassd
ftd-1 SF-IMS[24318]: [24318] sftunneld:SYNC_PROC [INFO] Change in directory /ngfw/var/sf/sync detected (0 vs 1637287229)
ftd-1 SF-IMS[8502]: SF-RPC:RemoteRun [CRITICAL] Unauthorized RPC call:SF::PeerManager::getPeerInfoLocal from fmc.net role:nobody%0A
ftd-1 SF-IMS[24319]: [8501] sfmgr:rexecchild [INFO] Before setting the value to 2, patience = 9
ftd-1 SF-IMS[8544]: SF-RPC:RemoteRun [CRITICAL] Unauthorized RPC call:SF::PeerManager::getPeerInfoLocal from fmc.net role:nobody%0A

Re: Unable to add FTD into FMC

BmfL — Fri, 19 Nov 2021 15:54:23 GMT

From FTD to FMC:
admin@:~$ ssh 4.1.1.1 8305
Password:

From FMC to FTD:
root@:~# ssh 5.2.2.2 8305

ssh: connect to host 5.2.2.2 port 22: Connection timed out

Tried with ssh both directions it seems there is an issue from FMC to FTD.

Re: Unable to add FTD into FMC

balaji.bandi — Fri, 19 Nov 2021 16:05:39 GMT

From FMC to FTD:
root@:~# ssh 5.2.2.2 8305

ssh: connect to host 5.2.2.2 port 22: Connection timed out


Tried with ssh both directions it seems there is an issue from FMC to FTD.

Now you know where to look and fix the issue.

Re: Unable to add FTD into FMC

BmfL — Fri, 19 Nov 2021 18:22:30 GMT

After reviewing I have detected there was a NAT device on the path, despite being told that there isn't. Configuration where done accordingly. Now it works fine.

Re: Unable to add FTD into FMC

balaji.bandi — Tue, 23 Nov 2021 17:42:38 GMT

Glad you able to resolve the issue, and thank you for sharing your feedback, we mark this as a solution now.