topic Re: Firepower Module Issue when adding it in Firepower Management Cent in Network Security

Firepower Module Issue when adding it in Firepower Management Center

laurathaqi — Mon, 20 Dec 2021 08:25:05 GMT

Dear community,

I have an issue were when I try to add Cisco ASA with Firepower Module, in FMC, following is happening:

- Firepower Module add Manager; adds FMC successfully. And it goes in a Pending State

- When I try to add the Firepower Module in FMC, I get the following error as attached image in this Question

The Version of ASA with Firepower is 6.2.2 and the Version of FMC is 6.2.3.16.

Things I have tried so far:

1. Restarted Firepower Module.

2. Restarted ASA and Firepower module.

3. Restarted FMC.

4. Made sure that there is communication in the specific port TCP 8305 between Firepower and FMC.

5. Made sure that the Registration Key is the same.

6. Made sure that NTP is the same in both Devices.

7. Did troubleshooting based on following: https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/215540-configure-verify-and-troubleshoot-firep.html#anc19 but non of them resulted successful.

Any idea how to further troubleshoot this case?

Looking forward to hearing from you.

Best wishes,

Laura

Re: Firepower Module Issue when adding it in Firepower Management Cent

Marvin Rhoads — Mon, 20 Dec 2021 12:31:09 GMT

You've identified all of the usual steps we would suggest to troubleshoot. Can you share what you saw during a packet capture as is recommended in the linked document?

If none of those availed you, then I would suggest opening a TAC case to look into the logs or pcap in detail

Re: Firepower Module Issue when adding it in Firepower Management Cent

rhuysmans — Mon, 20 Dec 2021 22:09:43 GMT

Hi Laura,

are you able to ping the FMC from the firepower module? I'm not sure if it's on the same subnet as the FMC or if there's a router in between? FMC to SFR?
Also you could try to upgrade the Firepower module so that it's running the same version as the FMC. They are both quite old versions which may have some quirks to them.

Cheers

René

Re: Firepower Module Issue when adding it in Firepower Management Cent

kjy210061 — Tue, 21 Dec 2021 23:55:15 GMT

Hello, Laura.

tail -f /ngfw/var/log/messages | grep -i sftunnel to see what kind of error occurs.

If an SSL error occurs, connect via SSH from FTD and FMC, respectively, and modify the SSL key value.

Re: Firepower Module Issue when adding it in Firepower Management Cent

laurathaqi — Wed, 22 Dec 2021 07:40:16 GMT

Hi @kjy210061

Can you please tell me what I should modify in the SSL Key Value?

Thank you,

Laura

Re: Firepower Module Issue when adding it in Firepower Management Cent

kjy210061 — Wed, 22 Dec 2021 08:32:07 GMT

The quickest way is to make an SSH connection from FTD to FMC and from FMC to FTD respectively.
in FMC -ssh admin@FTD_IP
in FTD - ssh admin@FMC IP

First, check if an ssl error occurs in /var/log/message of fmc.

Re: Firepower Module Issue when adding it in Firepower Management Cent

Marvin Rhoads — Wed, 22 Dec 2021 08:45:22 GMT

@kjy210061 you are using SSL and ssh interchangeably in your suggestions. They are very different.

FMC to managed device communication uses the sftunnel which is TLS over tcp/8305.

Re: Firepower Module Issue when adding it in Firepower Management Cent

kjy210061 — Wed, 22 Dec 2021 08:48:25 GMT

@Marvin Rhoads Hello, Rhoads.

SSL communication is correct.
But this is one of my experiences.
If SSL Communication Error occurs in /var/log/messages, I changed the key value through SSH connection in FTD and FMC, and it was registered normally.