topic Re: Firepower 1120: sftunnel-status connection never happened after re in Network Security

Firepower 1120: sftunnel-status connection never happened after reboot

MaErre21325 — Tue, 12 Oct 2021 08:38:12 GMT

Hello everybody,

after an electrical maintanance, our FTD is no longer registrated to FMC, thought was due to this bug: CSCvs98328 , but as you can see, even forcing the correct ntp it is still reporting :"Connection to peer '10.1.1.1' never happened".

The managers have been correctly added with the "configure manager add" command:

Cisco Firepower 1120 Threat Defense v6.6.4 (build 64)

> show managers

Type : Manager

Host : 10.1.1.1

Registration : Completed

Type : Manager

Host : 10.1.1.2

Registration : Completed

trying to force ntp as per CSCvs98328:

root@-FW:/home/admin# ntpdate -u internalt.ntp.org

5 Oct 09:39:09 ntpdate[15009]: step time server xx.xxx.xxx.xxx offset -36.7659 sec

root@-FW:/home/admin# date

Tue Oct 5 09:39:19 UTC 2021

root@-FW:/home/admin# pmtool restartbyid sftunnel

root@-FW:/home/admin# exit

exit

> sftunnel-status

SFTUNNEL Start Time: Tue Oct 5 09:40:02 2021

Both IPv4 and IPv6 connectivity is supported

Broadcast count = 0

Reserved SSL connections: 0

Management Interfaces: 1

management0 (control events) 10.1.1.5

**RUN STATUS****10.1.1.1*************

Connected: No

SSL Verification status: ok

Registration: Completed.

Connection to peer '10.1.1.1' never happened

Connection to peer '10.1.1.1' Attempted at Tue Oct 5 09:40:15 2021

do you have any suggestions to solve this problem?

both ftd and fmc are version 6.6.4.

Best regards

Re: Firepower 1120: sftunnel-status connection never happened after re

Chakshu Piplani — Wed, 13 Oct 2021 06:32:02 GMT

I see you have got FMC HA by any chance is 10.1.1.2 the active FMC.

How does the GUI looks like on FMC, are you getting alerts on FMC for appliance heartbeats?

Regards,

Chakshu

Do rate helpful posts!

Re: Firepower 1120: sftunnel-status connection never happened after re

MaErre21325 — Wed, 13 Oct 2021 07:56:04 GMT

Hi Chakshu,

yes we have fmc ha, in the gui we see heartbeats error, the strange thing is that the ftd is reachable via ssh, but e.g if we deploy a new policy, it fails due to the sftunnel down.

i've also tried this procedure with no results:

> expert
admin@FTDv:~$ sudo su
Password:
root@FTDv:/home/admin# manage_procs.pl
**************** Configuration Utility **************
1   Reconfigure Correlator
2   Reconfigure and flush Correlator
3   Restart Comm. channel
4   Update routes
5   Reset all routes
6   Validate Network
0   Exit
**************************************************************

Re: Firepower 1120: sftunnel-status connection never happened after re

#TCN — Mon, 16 May 2022 12:39:28 GMT

Hello All

I have a very similar issue to the above.

FMC/FTD 1120 code 6.6.5 running HA

> sftunnel-status

SFTUNNEL Start Time: Mon May 16 12:11:48 2022

Both IPv4 and IPv6 connectivity is supported
Broadcast count = 1
Reserved SSL connections: 0
Management Interfaces: 1
management0 (control events) 10.10.10.10,

***********************

**RUN STATUS****10.10.10.10*************
Connected: No
SSL Verification status: ok
Registration: Completed.
Connection to peer '10.10.10.10' never happened
Connection to peer '10.10.10.10' Attempted at Mon May 16 12:23:23 2022

**RPC STATUS****10.10.10.10*************
RPC status :Failed
Check routes:
No peers to check

Running the below on the FTD or FMC makes no difference

This was following a power cut and the time/date was way out on the primary unit JAN 2015

I managed to bring the time closer via expert mode:

date -s "16 MAY 2022 11:00:00"

Time looks acceptable now however the SFtunnel remains down .....I was going to reboot FTD / FMC again following the time change but are there any other suggestions?

Unable to perform anything on the managed FTD at this stage,

Cheers,
#TCN

Re: Firepower 1120: sftunnel-status connection never happened after re

Skjalg Eggen — Sun, 04 Sep 2022 22:16:52 GMT

Been a long time since this update, but it helped me get my Firepower 1010 back online with FMC.

Turns out the 1010 thought it was the year 2034 🙂

sftunnel_status.pl

SFTUNNEL Start Time: Mon Sep 4 22:01:57 2034

Set the time per this post with: date -s "Mon Sep 4 22:14:00 UTC 2022"

then I restarted the sftunnel process on the 1010: # pmtool restartbyid sftunnel

and it worked 🙂