topic Re: Cant PING FQDN from CLISH FTD in Network Security

Cant PING FQDN from CLISH FTD

keithcclark71 — Tue, 13 Sep 2022 15:27:19 GMT

I'd like to register FMC manager by FQDN but from Clish mode on FTD when I do show network command I have 2 different sections showing my DNS config. I can ping outside public IP addresses so I know routing is fine but I cannot ping or resolve external names to IP addresses. I am hoping if I can get name resolution working that I can register my FTD's to the FMC using FQDN rather than Public IP address. Anyone follow me here and have any thoughts as I gotta get this FTD in place tomorrow and I'm worried that if I register through the data interface using Public IP of firewall in front of the FMC that if they ever change ISP's and that public IP changes that all my tail site FTD's will break meaning I'll no longer be able to deploy changes etc. Please help here

Also when I registered teh FTD over the data interface I was expecting to see the WAN IP of the FTD established 8305 to public IP address of the manager but it does not. It show like a private IP established to it as follows. What is up with that???
tcp 0 58 169.254.1.3:8305 FMCMANAGERPUBLICIP:51043 ESTABLISHED
tcp 0 0 169.254.1.3:8305 FMCMANAGERPUBLICIP:35467 ESTABLISHED

===============[ System Information ]===============
Hostname : TT-FTD1010-3
DNS Servers : 208.67.222.222
208.67.220.220
2620:119:35::35
DNS from router : enabled
Management port : 8305
IPv4 Default route
Gateway : 192.168.3.1
Netmask : 0.0.0.0

======[ System Information - Data Interfaces ]======
DNS Servers : 208.67.222.123
208.67.220.123
Interfaces : Ethernet1/1

Re: Cant PING FQDN from CLISH FTD

balaji.bandi — Tue, 13 Sep 2022 15:30:01 GMT

never tried that option, since most of the deployment in same DC.

check some Limitaton here :

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/215540-configure-verify-and-troubleshoot-firep.html

Re: Cant PING FQDN from CLISH FTD

keithcclark71 — Tue, 13 Sep 2022 18:31:16 GMT

If ip address of the FMC remote management IP changes can one at least change the manager IP address on the FTD rather than having to reregister it using the new IP address of the FMC ?

Re: Cant PING FQDN from CLISH FTD

balaji.bandi — Wed, 14 Sep 2022 11:24:44 GMT

In general condition, we expect Management to be fixed not to change dynamically, so this need to consider when you deploying, if not config push from FMC can not reach FTD, if the IP changed.

for now i belive you need to rgister if the FTD IP changed i guess.