topic Re: Can't Access FCM after re-imaging and initial setup in Network Security

Can't Access FCM after re-imaging and initial setup

DerekLazarus78183 — Thu, 07 Apr 2022 15:47:03 GMT

So I have a FPR-4110 that set on the shelf for about 2 years. It needs to go in production so I go to configure it and input all the correct info as far as ip address for management, netmask, dns, domain, etc. I go to access the FCM via https and it comes up and just freezes. So after opening a TAC case and verifying I was doing everything correctly it was recommended that I re-image the Firepower. So going that route I complete the re-image upgrading the FX-OS firmware with the latest and greatest. I go through the initial config all over again and now still no access to FCM even though I can ping the mgmt interface and setup ssh which I can access but for whatever reason https access is a no go. I go to my browser and input the ip for the FCM and nothing. Any thoughts the TAC case is still open but thought I'd get some extra input as well

Re: Can't Access FCM after re-imaging and initial setup

Rob Ingram — Thu, 07 Apr 2022 15:51:22 GMT

@DerekLazarus78183 have you tried a different web browser? Is the traffic going through a proxy server, if so perhaps disable and so if that was causing the issue.

Re: Can't Access FCM after re-imaging and initial setup

DerekLazarus78183 — Thu, 07 Apr 2022 16:06:39 GMT

I have given every browser a try IE, Chrome, Firefox, Edge, and nothing. I am going through a firewall but I know that is not the problem due to being able to access it before. There isn't a proxy server involved either so I'm stomped to what the issue can be.

Re: Can't Access FCM after re-imaging and initial setup

Marvin Rhoads — Thu, 07 Apr 2022 16:15:33 GMT

There is an https access-list in the FXOS configuration that can cause this.

https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/2111/web-guide/b_GUI_FXOS_ConfigGuide_2111/platform_settings.html#id_30486

Re: Can't Access FCM after re-imaging and initial setup

DerekLazarus78183 — Thu, 07 Apr 2022 16:40:49 GMT

Thanks I went ahead and skimmed through the document. The access-list is only accessible through the GUI which is what I can't get to. So I went to check if https is enabled in the FXOS even though I was sure I did it in initial configuration and it is enabled for port 443 in so I am still stomped as to what the issue is.

Re: Can't Access FCM after re-imaging and initial setup

Marvin Rhoads — Thu, 07 Apr 2022 16:52:31 GMT

Sorry I gave the link to the GUI for setting the ACL. It is also configurable via cli. Please see the following:

https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/2111/cli-guide/b_CLI_ConfigGuide_FXOS_2111/platform_settings.html#id_30486

Configure the IP Access List

By default, the Firepower 4100/9300 chassis denies all access to the local web server. You must configure your IP Access List with a list of allowed services for each of your IP blocks.

The IP Access List supports the following protocols:

HTTPS
SNMP
SSH

For each block of IP addresses (v4 or v6), up to 100 different subnets can be configured for each service. A subnet of 0 and a prefix of 0 allows unrestricted access to a service.

Procedure

Step 1

From the FXOS CLI, enter the services mode:

scope system

scope services

Step 2

Create an IP block for the services you want to enable access for:

For IPv4:

create ip-block ip prefix [0-32] [http | snmp | ssh]

Be sure to "commit-buffer" after configuring it.

Re: Can't Access FCM after re-imaging and initial setup

DerekLazarus78183 — Thu, 07 Apr 2022 17:44:20 GMT

So I gave that a try still a no go.

Re: Can't Access FCM after re-imaging and initial setup

Marvin Rhoads — Thu, 07 Apr 2022 18:00:35 GMT

That's odd. Can you share the output of:

firepower /system/services # show ip-block

Re: Can't Access FCM after re-imaging and initial setup

DerekLazarus78183 — Thu, 07 Apr 2022 19:31:41 GMT

No need good sir just had to give things time to gel I guess I now have access to the Firepower Chassis Manager. Many thanks!