topic Re: Cisco FTDv in Azure and issue with Probes (SSH TCP Port 22) in Network Security

Cisco FTDv in Azure and issue with Probes (SSH TCP Port 22)

IamSamSaul — Wed, 25 May 2022 08:26:10 GMT

Hello Team!

I got a Cisco FTD cluster (managed by Cisco FMC) deployed in Azure. I have configured loadbalancer so that the traffic is evenly balanced between the two FTDv devices because there is no concept of HA in Azure. The loadbalance are probing (Health Probes) the FTDv on TCP port 22 (SSH) to check the availability of both FTDv's. If the loadbalancer doesn't get a response from FTDv on probes (TCP port 22 SSH) the device is marked as unavailable and no traffic is send to the device.

I have created ACP rules for the probes from Azure IP address 168.63.129.16 and I can see the events. Somehow the Azure can't probe the FTDv's and they are marked as "dead" and no traffic are routed through the firewalls. When this is happening I logged into firewall and it seems everything is working fine and I can't see any blocked events or Azure IP address 168.63.129.16.

Has someone got a similar issue and I hope to receive suggestions on how to troubleshoot this issue.

Thanks & Regards,

Sam

Re: Cisco FTDv in Azure and issue with Probes (SSH TCP Port 22)

Udupi Krishna. — Wed, 25 May 2022 13:43:56 GMT

Provided the routing of this traffic is configured properly, these health probes are "to" the firewall itself and ACP rules are generally meant for traffic which is "through" the firewall, you need to permit SSH via the platform settings attached to this FTD pair.

Navigate to the platform settings, under secure shell select the correct interfaces and permit any-ipv4 address for testing and deploy the policy. Verify the outcome, it would be a good idea to run packet captures if needed.

Re: Cisco FTDv in Azure and issue with Probes (SSH TCP Port 22)

IamSamSaul — Wed, 25 May 2022 14:19:29 GMT

Thanks for your reply. I have already configured ssh with any under the
Platform settings. Under the ACP I can see hits from probes on port 22 ssh.

Regards,
Sam

Re: Cisco FTDv in Azure and issue with Probes (SSH TCP Port 22)

Udupi Krishna. — Thu, 26 May 2022 02:17:20 GMT

Alright thats a good first step. Run a capture to see if its landing on the correct interface and there are responses going back to complete a proper 3-way handshake. If it isnt, there's obviously some sort of connectivity failure.

This should be a good reference article to confirm everything is in place - https://jackstromberg.com/2019/06/deploying-cisco-virtual-appliances-ngfwv-on-azure/