topic Re: How does Re:ftd add static routes and configure priorities in the in Network Security

How does ftd add static routes in ctl and configure priorities?

Translator — Fri, 10 Jun 2022 07:13:29 GMT

My ftd can't connect to fmc because of routing reasons, now I need to add a static route and make the configuration priority higher than ospf

Hot: How ftd adds static routes in ctl and configures configuration priorities

Translator — Sun, 12 Jun 2022 10:04:07 GMT

configuration network static-routes

to add or remove static routes, use the configuration network static-routes command.

configuration network static-routes { ipv4 | ipv6 { add interface destiny netmask_or_prefix gateway | delete}

Syntax Description

add	Ads a static route for the management interface.
delete	Remove a static route for the management interface. You are proformed to choose which route to delete.
interface	The ID of the management interface. Use the show network command to view the Management interface ID for your model.
ipv4	Ads or deletes a static route for the IPv4 management address.
ipv6	Ads or deletes a static route for the IPv6 management address.
destiny	The deployment IP address to add or remove, in IPv4 or IPv6 format as an appliance. For example, 10.100.10.10 or 2001:db8::201.
netmask_or_prefix	The network address mask for IPv4, or prefix for IPv6. The IPv4 netmask must be in a numbered presentation, for example, 255.255.255.0. The IPv6 prefix is a standard prefix number, sum as 96.
gateway	The gateway address to add or remove, in IPv4 or IPv6 format as an appliance.

Command History

ReleaseRegistration

6.0.1

This command was introduced.

Example:

configuration network static-routes ipv4 add eth0 192.168.10.0 255.255.255.0 192.168.1.1

https://www.cisco.com/c/en/us/td/docs/security/firepower/command_ref/b_Command_Reference_for_Firepower_Threat_Defense/c_3.html#wp2268306860

Add static route on Firepower module:

https://community.cisco.com/t5/security-documents/add-static-route-on-firepower-module/ta-p/3156256

Combined with OSPF, the AD is small and the default value is 1, so there is no need to modify it.

Not sure if it's right or not, you can try it, hope it works

Re: How does ftd add static routes in ctl and configure priorities?

Marius Gunnerud — Sun, 12 Jun 2022 19:22:52 GMT

I am assuming you have your management interface default gateway via a data interface on the FTD and it is the data interface which is having the routing issue?

If so here is the solotion. Remember that you must correct the static route issue in the GUI once you have connectivity again as a new policy deploy will overwrite this solution. You also need to have access the the FTD CLI and are able to access root privileges. You dont need to go into the /ngfw/var/sf/bin directory but I like going there as this is where the script is located. Hope this helps.

>expert

# sudo su -

root# cd /ngfw/var/sf/bin

root# LinaConfigTool "route DMZ 1092.168.1.0 255.255.255.0 192.168.2.1";

Re: How does ftd add static routes in ctl and configure priorities?

Translator — Tue, 14 Jun 2022 02:23:28 GMT

Excuse me, does the DMZ in "route DMZ" refer to the area to which the routing interface belongs, or is it a custom nickname field?

Re: How does ftd add static routes in ctl and configure priorities?

Marius Gunnerud — Tue, 14 Jun 2022 04:14:19 GMT

This is basic ASA / FTD CLI routing configuration, so DMZ reders to the interface that the subnet is reachable through.

Hot: How does Re:ftd add static routes and configure priorities in a CTL?

Translator — Thu, 16 Jun 2022 09:43:35 GMT

I've deployed OSPF to let the device learn how to route to FMC, but why the device still shows disabled status and cannot be managed.

Re: Hot: How does Re:ftd add static routes and configure priorities in

Marius Gunnerud — Sun, 19 Jun 2022 22:16:58 GMT

Are you able to ping the FTD from the FMC? can you telnet from FMC CLI to the FTD on port tcp/8305. Remember also that you need to allow traffic from the FTD to the FMC on port tcp/8305 if this management traffic is passing through another firewall.

Hot: Re: Hot: How Re:ftd adds static routes and configuration priorities

Translator — Mon, 20 Jun 2022 01:46:58 GMT

My two ftdCan't ping fmc ftd-b or ping fmc A-B between ha ftd-A. But B can be managed by FMC. ... The problem has not been found, FTD-A and B are the same configuration.

Re: Hot: Re: Hot: How Re:ftd adds static routes and configuration prio

Marius Gunnerud — Tue, 21 Jun 2022 20:20:03 GMT

could you provide a network diagram? that shows the IPs and how these devices are connected to the network and their relation to eachother.

When you ping from the FTD you will be pinging from the data interfaces so if this traffic is not allowed in access rules the traffic is not permitted. so a better test would be ping from FMC.

So, what is between the FTDs and the FMC? a router, another firewall, or are they on the same subnet (doubtful as this started out as a routing question)?

Since FTD B can be managed the issue is most likely not routing. What is the management IP you have given FTD A? You said that A and B have the same configuration, does that mean you gave FTD A the same IP as you configured on B? If so then this is your problem. FTD A needs a separate IP.

If there are any firewalls or access lists in the path between the FMC and FTD A and B then you need to also check if the traffic is allowed towards FTD A.

Hot: Re:Hot:Hot:How Re:ftd adds static routes and configurations before configuration

Translator — Wed, 22 Jun 2022 10:14:46 GMT

I use the ping prompt on fmc: ping: icmp open socket: Operation not operated

My Network Topology

FTD_A

FTD-A

> show network
===============[ System Information ] ===============
Hostname: ASCHZXS-12F-JF-A02-FW-2110-01
DNS servers: 172.169.18.8
management port: 8305
IPv4 Default route
Gateway: 172.17.3.254

==================[ management0 ] ===================
State: Enabled
Channels: Management & Events
Mod: Non-Automation
MDI/MDIX: Auto/MDIX
MTU: 1500
MAC address: CC:7F:76:B1:73:80
—[ IPv4 ] —
Configuration: Manuel
Address: 172.17.2.10
Netmask: 255.255.254.0
Broadcast: 172.17.3.255
—[ IPv6 ] —
Configuration: Disabled

===============[ Proxy Information ] ================
State: Disabled
Authentication: Disabled

>?

> show route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - cancel date default, U - per-user static route
o - ODR, P - periodic downloadestatic route, + - reregistered route
Gateway of last resort is 172.17.10.65 to network 0.0.0.0

O*E1 0.0.0.0 0.0.0.0 [110/1010] via 172.17.10.65, 2w6d, TO_RT01_OUTSIDE-1
C 1.1.1.0 255.255.255.252 is directionally connected, failover_link
L 1.1.1.1 255.255.255.255 is directionally connected, failover_link
C 2.2.2.0 255.255.255.252 is directionally connected, state_link
L 2.2.2.1 255.255.255.255 is directionally connected, state_link
O E2 172.16.1.0 255.255.255.0
[110/1] via 172.17.10.83, 6d16h, TO_HXSW01_INSIDE-1
O E2 172.16.2.0 255.255.255.0
[110/1] via 172.17.10.83, 6d16h, TO_HXSW01_INSIDE-1
O E2 172.16.3.0 255.255.255.0
[110/1] via 172.17.10.83, 6d16h, TO_HXSW01_INSIDE-1
O E2 172.16.20.0 255.255.255.0
[110/1] via 172.17.10.83, 5d17h, TO_HXSW01_INSIDE-1
O E2 172.16.255.0 255.255.255.0
[110/1] via 172.17.10.83, 5d17h, TO_HXSW01_INSIDE-1
O IA 172.17.0.0 255.255.248.0
[110/20] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
C 172.17.7.0 255.255.255.248 is directionally connected, SHAOXING_DMZ_LM_IDS
L 172.17.7.2 255.255.255.255 is directionally connected, SHAOXING_DMZ_LM_IDS
O E1 172.17.8.0 255.255.255.0
[110/21] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O IA 172.17.10.0 255.255.255.224
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
C 172.17.10.64 255.255.255.248 is directionally connected, TO_RT01_OUTSIDE-1
L 172.17.10.67 255.255.255.255 is directionally connected, TO_RT01_OUTSIDE-1
C 172.17.10.72 255.255.255.248 is directionally connected, TO_RT02_OUTSIDE-2
L 172.17.10.75 255.255.255.255 is directionally connected, TO_RT02_OUTSIDE-2
C 172.17.10.80 255.255.255.248
is directionally connected, TO_HXSW01_INSIDE-1
L 172.17.10.82 255.255.255.255
is directionally connected, TO_HXSW01_INSIDE-1
C 172.17.10.88 255.255.255.248
is directionally connected, TO_HXSW02_INSIDE-2
L 172.17.10.90 255.255.255.255
is directionally connected, TO_HXSW02_INSIDE-2
O 172.17.10.96 255.255.255.252
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O IA 172.17.11.0 255.255.255.0
[110/12] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O IA 172.17.20.0 255.255.255.0
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O 172.17.255.1 255.255.255.255
[110/11] via 172.17.10.65, 2w6d, TO_RT01_OUTSIDE-1
O 172.17.255.2 255.255.255.255
[110/16] via 172.17.10.73, 2w6d, TO_RT02_OUTSIDE-2
O 172.17.255.5 255.255.255.255
[110/10] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O 172.17.255.6 255.255.255.255
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O E2 172.31.0.0 255.255.0.0
[110/1] via 172.17.10.83, 6d16h, TO_HXSW01_INSIDE-1
O IA 172.169.10.0 255.255.255.0
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O IA 172.169.18.0 255.255.255.0
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O IA 172.169.253.0 255.255.255.0
[110/12] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O IA 192.168.168.0 255.255.255.0
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O E2 198.18.1.4 255.255.255.252
[110/1] via 172.17.10.83, 6d16h, TO_HXSW01_INSIDE-1
O 198.18.1.8 255.255.255.252
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1

>?

> show interface ip brief
Interface IP-Address OK? Method Status Protocol
Internal-Data0/1 unregistered YES unset up
Ethernet1/1 172.17.10.67 YES CONFIG up
Ethernet1/2 172.17.10.75 YES CONFIG up
Ethernet1/3 172.17.10.82 YES CONFIG up
Ethernet1/4 172.17.10.90 YES CONFIG up
Ethernet1/5 172.17.7.2 YES CONFIG up
Ethernet1/6 172.17.7.10 YES CONFIG down down down
Ethernet1/7 172.17.7.18 YES CONFIG down down down
Etherenet1/8 unsigned YES unset admin down down
Ethernet1/9 unsigned YES unset admin down down
Ethernet1/10 unsigned YES unset admin down down
Ethernet1/11 1.1.1.1 YES unset up up
Ethernet1/12 2.2.2.1 YES unset up up
Ethernet1/13 unsigned YES unset admin down down
Ethernet1/14 unsigned YES unset admin down down
Ethernet1/15 unsigned YES unset admin down down
Ethernet1/16 unsigned YES unset admin down down
Internal-Control1/1 unregistered YES unset up
Internal-Data1/1 169.254.1.1 YES unset up up
Internal-Data1/2 unsigned YES unset up
Management1/1 unsigned YES unset up
>?

> show tailor state

State Last Failure Response Date/Time
This host - Primary
Stanby Ready None
Other host - Second
Active None

====Configuration State===
Sync Done - STANBY
====Communication State===
Mac Set

>?

FTD-B

> show network
===============[ System Information ] ===============
Hostname: firepower
DNS servers: 172.169.18.8
management port: 8305
IPv4 Default route
Gateway: 172.17.3.254

==================[ management0 ] ===================
State: Enabled
Channels: Management & Events
Mod: Non-Automation
MDI/MDIX: Auto/MDIX
MTU: 1500
MAC address: AC:3A:67:52:57:80
—[ IPv4 ] —
Configuration: Manuel
Address: 172.17.2.11
Netmask: 255.255.254.0
Broadcast: 172.17.3.255
—[ IPv6 ] —
Configuration: Disabled

===============[ Proxy Information ] ================
State: Disabled
Authentication: Disabled

> show interface ip brief
Interface IP-Address OK? Method Status Protocol
Internal-Data0/1 unregistered YES unset up
Ethernet1/1 172.17.10.66 YES CONFIG up
Ethernet1/2 172.17.10.74 YES CONFIG up
Ethernet1/3 172.17.10.81 YES CONFIG up
Ethernet1/4 172.17.10.89 YES CONFIG up
Ethernet1/5 172.17.7.1 YES CONFIG up
Ethernet1/6 172.17.7.9 YES CONFIG down down down
Ethernet1/7 172.17.7.17 YES CONFIG down down down
Etherenet1/8 unsigned YES unset admin down down
Ethernet1/9 unsigned YES unset admin down down
Ethernet1/10 unsigned YES unset admin down down
Ethernet1/11 1.1.1.2 YES unset up up
Ethernet1/12 2.2.2.2 YES unset up up
Ethernet1/13 unsigned YES unset admin down down
Ethernet1/14 unsigned YES unset admin down down
Ethernet1/15 unsigned YES unset admin down down
Ethernet1/16 unsigned YES unset admin down down
Internal-Control1/1 unregistered YES unset up
Internal-Data1/1 169.254.1.1 YES unset up up
Internal-Data1/2 unsigned YES unset up
Management1/1 unsigned YES unset up

> show route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - cancel date default, U - per-user static route
o - ODR, P - periodic downloadestatic route, + - reregistered route
Gateway of last resort is 172.17.10.65 to network 0.0.0.0

O*E1 0.0.0.0 0.0.0.0 [110/1010] via 172.17.10.65, 2w6d, TO_RT01_OUTSIDE-1
C 1.1.1.0 255.255.255.252 is directionally connected, failover_link
L 1.1.1.2 255.255.255.255 is directionally connected, failover_link
C 2.2.2.0 255.255.255.252 is directionally connected, state_link
L 2.2.2.2 255.255.255.255 is directionally connected, state_link
O E2 172.16.1.0 255.255.255.0
[110/1] via 172.17.10.83, 6d16h, TO_HXSW01_INSIDE-1
O E2 172.16.2.0 255.255.255.0
[110/1] via 172.17.10.83, 6d16h, TO_HXSW01_INSIDE-1
O E2 172.16.3.0 255.255.255.0
[110/1] via 172.17.10.83, 6d16h, TO_HXSW01_INSIDE-1
O E2 172.16.20.0 255.255.255.0
[110/1] via 172.17.10.83, 5d17h, TO_HXSW01_INSIDE-1
O E2 172.16.255.0 255.255.255.0
[110/1] via 172.17.10.83, 5d17h, TO_HXSW01_INSIDE-1
O IA 172.17.0.0 255.255.248.0
[110/20] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
C 172.17.7.0 255.255.255.248 is directionally connected, SHAOXING_DMZ_LM_IDS
L 172.17.7.1 255.255.255.255 is directionally connected, SHAOXING_DMZ_LM_IDS
O E1 172.17.8.0 255.255.255.0
[110/21] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O IA 172.17.10.0 255.255.255.224
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
C 172.17.10.64 255.255.255.248 is directionally connected, TO_RT01_OUTSIDE-1
L 172.17.10.66 255.255.255.255 is directionally connected, TO_RT01_OUTSIDE-1
C 172.17.10.72 255.255.255.248 is directionally connected, TO_RT02_OUTSIDE-2
L 172.17.10.74 255.255.255.255 is directionally connected, TO_RT02_OUTSIDE-2
C 172.17.10.80 255.255.255.248
is directionally connected, TO_HXSW01_INSIDE-1
L 172.17.10.81 255.255.255.255
is directionally connected, TO_HXSW01_INSIDE-1
C 172.17.10.88 255.255.255.248
is directionally connected, TO_HXSW02_INSIDE-2
L 172.17.10.89 255.255.255.255
is directionally connected, TO_HXSW02_INSIDE-2
O 172.17.10.96 255.255.255.252
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O IA 172.17.11.0 255.255.255.0
[110/12] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O IA 172.17.20.0 255.255.255.0
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O 172.17.255.1 255.255.255.255
[110/11] via 172.17.10.65, 2w6d, TO_RT01_OUTSIDE-1
O 172.17.255.2 255.255.255.255
[110/16] via 172.17.10.73, 2w6d, TO_RT02_OUTSIDE-2
O 172.17.255.5 255.255.255.255
[110/10] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O 172.17.255.6 255.255.255.255
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O E2 172.31.0.0 255.255.0.0
[110/1] via 172.17.10.83, 6d16h, TO_HXSW01_INSIDE-1
O IA 172.169.10.0 255.255.255.0
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O IA 172.169.18.0 255.255.255.0
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O IA 172.169.253.0 255.255.255.0
[110/12] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O IA 192.168.168.0 255.255.255.0
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O E2 198.18.1.4 255.255.255.252
[110/1] via 172.17.10.83, 6d16h, TO_HXSW01_INSIDE-1
O 198.18.1.8 255.255.255.252
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1

> show tailor
descriptor exec history interface state statistics |

> show tailor state

State Last Failure Response Date/Time
This host - Second
Active None
Other host - Primary
Stanby Ready Comm Failure 09:58:15 UTC Jun 1 2022

====Configuration State===
sync done
====Communication State===
Mac Set

>?

Re: Hot: Re:Hot:Hot:How Re:ftd adds static routes and configurations b

Marius Gunnerud — Wed, 22 Jun 2022 10:21:00 GMT

to ping from the FMC you need to be the root user, so you need to log into cli, enter expert mode and then sudo su -

could you issue the command show managers on both FTD?

Hot: Re: Hot: Re:Hot:Hot:How Re:ftd adds static routes and configurations b

Translator — Fri, 24 Jun 2022 04:51:08 GMT

FTD-A 172.17.2.10
> show managers
Type: Manager
Host: 172.16.1.31
Registration: Completed

>
?FTD-A 172.17.2.11 (managed side events)
> show managers
Type: Manager
Host: 172.16.1.31
Registration: Completed

>
?

FMC-SSH

Last login: Fri Jun 24 04:46:39 2022 from 172.17.3.68

Copright 2004-2020, Cisco and/or its affairs. All rights reserved.
Cisco is a registered trader of Cisco Systems, Inc.
All other travels are property of their responsive officers.

Cisco Fire Linux OS v6.4.0 (build 2)
Cisco Firepower Management Center for VMWare v6.4.0.7 (build 53)

>

Configure Change to Configure mode
exit exit this CLI session
excel Invokable a shell
show Change to Show Mode
system change to system mode

> excert
admin@ASCHZXS-12F-JF-A02-CISCO-FMC-01:~$ ping 172.17.2.10
Ping: icmp open socket: Operation not operated
admin@ASCHZXS-12F-JF-A02-CISCO-FMC-01:~$

?

Re: Hot: Re: Hot: Re:Hot:Hot:How Re:ftd adds static routes and configu

Marius Gunnerud — Sun, 26 Jun 2022 21:07:39 GMT

to issue a ping from the FMC you need to have root privileges, (sudo su -)

But as per the output of show managers the FMC has successfully registered with the FTD device.

Reply: Re:Hot:Re:Hot:Re:Hot:Hot:How Re:ftd adds static routes and configu

Translator — Mon, 27 Jun 2022 03:43:56 GMT

However, the FMC shows that the FTD is disabled and cannot be managed.

I would like to try to make a any any configuration on FTD-CLI to see if the FTD-A is unable to connect to the FMC due to policy reasons, and how to write such a policy under the CLI and save it to take effect.

Reply: Re:Hot:Re:Hot:Re:Hot:Hot:How Re:ftd adds static routes and configu

Translator — Mon, 27 Jun 2022 03:45:21 GMT

Since I was the post-docking device, the FTD was disconnected in November 2021.

Or how I should seek remote technical support.

Reply: Re:Hot:Re:Hot:Hot:How Re:ftd adds static routes and configurations b

Translator — Mon, 27 Jun 2022 04:04:30 GMT

root@ASCHZXS-12F-JF-A02-CISCO-FMC-01:/Volume/home/admin# ping 172.16.2.251
PING 172.16.2.251 (172.16.2.251) 56 (84) bytes of data.
64 bytes from 172.16.2.251: icmp_req=1 ttl=63 time=0.266 ms
64 bytes from 172.16.2.251: icmp_req=2 ttl=63 time=0.236 ms
^C
— 172.16.2.251 ping statistics —
2 packets transmited, 2 received, 0% packet loss, time 1032ms
rtt min/avg/max/mdev = 0.236/0.251/0.266/0.015 ms
root@ASCHZXS-12F-JF-A02-CISCO-FMC-01:/Volume/home/admin# ping 172.17.2.10
PING 172.17.2.10 (172.17.2.10) 56 (84) bytes of data.
64 bytes from 172.17.2.10: icmp_req=1 ttl=60 time=7.89 ms
64 bytes from 172.17.2.10: icmp_req=2 ttl=60 time=7.90 ms
64 bytes from 172.17.2.10: icmp_req=3 ttl=60 time=7.93 ms
^C
— 172.17.2.10 ping statistics —
3 packets transmited, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 7.891/7.907/7.932/0.104 ms
root@ASCHZXS-12F-JF-A02-CISCO-FMC-01:/Volume/home/admin# ping 172.17.2.11
PING 172.17.2.11 (172.17.2.11) 56 (84) bytes of data.
64 bytes from 172.17.2.11: icmp_req=1 ttl=60 time=8.18 ms
64 bytes from 172.17.2.11: icmp_req=2 ttl=60 time=8.08 ms
64 bytes from 172.17.2.11: icmp_req=3 ttl=60 time=7.91 ms
^C
— 172.17.2.11 ping statistics —
3 packets transmited, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 7.916/8.062/8.183/0.110 ms

I've tried in fmc ping FTD Three are available but only 172.17.2.10 display is disabled.

FMC 172.16.1.31FMC 172.16.1.31FTD-B 172.17.2.11FTD-B 172.17.2.11FTD-SX 172.16.2.251FTD-SX 172.16.2.251FTD-A 172.17.2.10FTD-A 172.17.2.10

Re: Reply: Re:Hot:Re:Hot:Re:Hot:Hot:How Re:ftd adds static routes and

Marius Gunnerud — Mon, 27 Jun 2022 20:01:00 GMT

Does the management traffic for the FTDs pass through FTD-B ? If yes, instead of an any any rule right now, I suggest doing a packet tracer first. One with source of FMC and destination of FTD mgmt IP and destination port of tcp/8305. Then also in the reverse direction FTD mgmt IP to FMC with destination port of tcp/8305.

If you are looking for technical support I suggest contacting your local Cisco partner, or if you are able to open a TAC case directly then you can do so.

Re: Re: Re: Re: Re:Hot:Re:Hot:Re:Hot:Hot:Hot:How Re:ftd Add Static Route and

Translator — Thu, 07 Jul 2022 07:51:58 GMT

Please look at the data I replied to below

Re: Re: Re: Re: Re:Hot:Re:Hot:Re:Hot:Hot:Hot:How Re:ftd Add Static Route and

Translator — Thu, 07 Jul 2022 08:56:09 GMT

root@ASCHZXS-12F-JF-A02-CISCO-FMC-01:/Volume/home/admin# telnet 172.17.2.10 8305
Trying 172.17.2.10...
Connected to 172.17.2.10.
Escape character is '^]'.
^C
^CConnection closed by foreign host.
root@ASCHZXS-12F-JF-A02-CISCO-FMC-01:/Volume/home/admin# telnet 172.17.2.11 8305
Trying 172.17.2.11...
telnet: connect to address 172.17.2.11: Connection refused
root@ASCHZXS-12F-JF-A02-CISCO-FMC-01:/Volume/home/admin#

172.17.2.10 is a FTD_A that I can't manage right now

172.17.2.11 is the FTD_B I can manage today

Here is FTD-A Request FMC (172.16.1.31) 8305

root@ASCHZXS-12F-JF-A02-FW-2110-01:/home/admin# telnet 172.16.1.31 8305
Trying 172.16.1.31...
Connected to 172.16.1.31.
Escape character is '^]'.
^C^C^CConnection closed by foreign host.
root@ASCHZXS-12F-JF-A02-FW-2110-01:/home/admin#

Re: Re: Re: Re: Re:Hot:Re:Hot:Re:Hot:Hot:Hot:How Re:ftd Add Static Rou

Marius Gunnerud — Thu, 07 Jul 2022 09:25:52 GMT

Please read my last post and provide the requested information