topic Re: FTD not connecting to FMC after Re-IP in Network Security

FTD not connecting to FMC after Re-IP

keibler — Tue, 08 Nov 2022 20:14:53 GMT

We had to change the outside interface IP of a remote office FTD that was connected to a central FMC. After changing the IP the FTD does not want to reconnect to the FMC. The network objects were updated to the new IP address (for NAT, Policies, etc..), device IP was changed under device management on the FMC, and the IP was changed on the FTD. I am able login to the the remote FTD via SSH from the central site. Any suggestions what to look out would be great.

Re: FTD not connecting to FMC after Re-IP

balaji.bandi — Tue, 08 Nov 2022 20:20:27 GMT

if the IP changed you need to de-register and re-register

check on FTD or FMC

> show managers

Re: FTD not connecting to FMC after Re-IP

keibler — Tue, 08 Nov 2022 21:03:06 GMT

The FTD still shows the FMC as the current manager. So correct me if I am wrong here. But if I delete the current manager it will wipe the configuration on the FTD. I will loose connectivity and drop all user traffic. This should not change the management of the device so I should be able to still SSH to the FTD using the outside interface . Then I connect the FTD again to the FMC by running the "connect manager add x.x.x.x <pass>" command. This is where I cannot find any documentation on how to associate the existing configuration back to the device. Should it pick it up automatically or is there a step i am missing here.

Re: FTD not connecting to FMC after Re-IP

balaji.bandi — Tue, 08 Nov 2022 23:33:43 GMT

Removing manager and adding back will not have any impact on the traffic. but from FMC you able to push changes (any way its not working for you now)

Most of the config is stored in FMC, so once it registers you can make changes, no config will be lost.

But saying that 1 in 10000 may have a different issue ( so from FMC backup the config out of the box)

Re: FTD not connecting to FMC after Re-IP

keibler — Wed, 09 Nov 2022 13:35:27 GMT

Balaji,

I tried that this morning and I am still having some issues on this remote ftd to get it reconnect. I removed the manager.

configure manager delete

Then added the manager again

configure manager add x.y.z.83 JoinMe JoinMe

> show managers Host : x.y.z.83 Registration Key : **** Registration : pending RPC Status : > show managers Host : x.y.z.83 Registration Key : **** Registration : pending RPC Status :

When I enable the existing device it errors with timeout. When I try and add the device it tells me that that the time is not synced. the FMC is configured for NTP. I also validated the time on the FTD and it is within 1 second.

> sftunnel-status SFTUNNEL Start Time: Wed Nov 9 13:15:15 2022 Both IPv4 and IPv6 connectivity is supported Broadcast count = 1 Reserved SSL connections: 1 Management Interfaces: 2 management0 (control events) 192.168.98.3, tap0.1000 (control events) 169.254.1.3,fd00:0:0:1::3 *********************** peer ~JoinMe did not reply at /usr/local/sf/bin/sftunnel_status.pl line 304. Retry rpc status poll at /usr/local/sf/bin/sftunnel_status.pl line 310. **RPC STATUS****x.y.z.83************* RPC status :Failed Check routes: No peers to check

Again this is a remote site and the FMC is configured with a NAT that was previously working to the remote site

Re: FTD not connecting to FMC after Re-IP

balaji.bandi — Wed, 09 Nov 2022 15:24:00 GMT

You need to remove both the sides is best to re-register.

if this was natted then you need to change NAT with new IP address to translate.

Re: FTD not connecting to FMC after Re-IP

keibler — Wed, 09 Nov 2022 19:42:59 GMT

No luck. Same error

Could not establish connection with Device Possible reasons could be:- - Time on FMC and Device are not in sync. Make sure NTP is configured on both. - There might be an IPS device between FMC/Device which might be blocking SSL connectivity between the two. Remove any rule in the IPS device which is blocking SSL connectivity. - Device and FMC are not listening on same sftunnel Port. Current sftunnel port configured on FMC is 8305, please ensure Device is also using the same port. - SSL certificates might have got generated with wrong/future time stamp. For more troubleshooting tips, see https://cisco.com/go/fmc-reg-error

NAT was updated when I updated the Network Object for the the FTDs outside interface. I am seeing NAT translations, packets both inbound & outbound on the packet capture.

The FMC IP did not change. I tried with "Unique NAT ID" and not. Also tried with using the "configure manager add DONTRESOLVE <key> <natID>".

Which leads maybe to the way I changed the IP address. The outbound (outside) interface is Ethe1/1. Here is the output of the show network.

> show network
===============[ System Information ]===============
Hostname : lynn00-ftdcx01
DNS Servers : 208.67.222.222
208.67.220.220
2620:119:35::35
DNS from router : enabled
Management port : 8305
IPv4 Default route
Gateway : 192.168.98.1 <-this is the inside address
Netmask : 0.0.0.0

==================[ management0 ]===================
State : Enabled
Link : Up
Channels : Management & Events
Mode : Non-Autonegotiation
MDI/MDIX : Auto/MDIX
MTU : 1500
MAC Address : <removed>
----------------------[ IPv4 ]----------------------
Configuration : Manual
Address : 192.168.98.3
Netmask : 255.255.255.0
Gateway : 192.168.98.1
----------------------[ IPv6 ]----------------------
Configuration : Disabled

===============[ Proxy Information ]================
State : Disabled
Authentication : Disabled

======[ System Information - Data Interfaces ]======
DNS Servers :
Interfaces : Ethernet1/1

==================[ Ethernet1/1 ]===================
State : Enabled
Link : Up
Name : lyn_outside
MTU : 1500
MAC Address : <removed>
----------------------[ IPv4 ]----------------------
Configuration : Manual
Address : x.y.z.38
Netmask : 255.255.255.240
Gateway : x.y.z.33
----------------------[ IPv6 ]----------------------
Configuration : Disabled

Any ideas?

Re: FTD not connecting to FMC after Re-IP

Marius Gunnerud — Wed, 09 Nov 2022 22:32:01 GMT

Have you had a look at the logs in /ngfw/var/log/messages ? There might be a clue as to why registration is failing there.

Re: FTD not connecting to FMC after Re-IP

balaji.bandi — Thu, 10 Nov 2022 09:53:10 GMT

Since you mentioned NAT - never tested myself : check below threat has some information may help you apart from suggestion made @Marius Gunnerud logs.

https://community.cisco.com/t5/network-security/connect-ftd-to-fmc-with-nat-at-both-sides/td-p/3726411

Re: FTD not connecting to FMC after Re-IP

keibler — Thu, 10 Nov 2022 15:07:20 GMT

I will check your recommendations on Monday