topic Re: Can't change Management Interface FPR 2130 in Network Security

Can't change Management Interface FPR 2130

korkomando — Tue, 17 Jan 2023 20:54:34 GMT

We have a couple FPR-2130s and FPR-2110s. We would like to change our default/dedicated management port to be one of our inside/data ports for simplicity's sake (Management1/1 -> Gig1/2). According to Cisco, you can do this via the CLI or FMC gui, but through both methods, the option is missing.

Here's the documentation I'm following. Note: This is the FMC 6.7 guide but the same directions for changing MGMT to Data interface is present in the 7.3 guide, albeit the GUI directions are missing (or I can't find them).

Via CLI: Login and use command "configure network management-data-interface". This command is completely missing from our CLI

Via GUI: Navigate to Device > Management > click the link for FMC Access Interface. This "FMC Access Interface" link is missing from our GUI.

We are running the most recent versions, I believe it is 7.3 on FMC and 7.0.4 for our FPRs (I will have to verify this, we downloaded whatever Cisco gave us via FMC update manager). We have disabled local management when connecting to our FPRs to FMC.

If anyone can give me insight, if I'm missing some sort of software version or license, it would be greatly appreciated.

Thanks,

Re: Can't change Management Interface FPR 2130

Karsten Iwen — Tue, 17 Jan 2023 21:19:24 GMT

Could it be that you run your FTDs in HA? In this scenario it’s not possible to use the data interface.

Re: Can't change Management Interface FPR 2130

balaji.bandi — Tue, 17 Jan 2023 21:25:59 GMT

I am running 7.0.4 FMC and FTD - i can see we can setup Management only as below : (right now i am using outside interface - this is example screenshot) - or am i missing something here ?

Re: Can't change Management Interface FPR 2130

korkomando — Tue, 17 Jan 2023 22:00:14 GMT

@Karsten Iwen No, we have plans on using HA in the future but at the moment it is not configured on any devices.

@balaji.bandi On our end, the "Management Only" checkbox is greyed out on our 2110s and 2130s. Additionally, we don't see the "FMC Access" tab.

Re: Can't change Management Interface FPR 2130

balaji.bandi — Tue, 17 Jan 2023 22:41:38 GMT

My Setup is Virtual since you are using Physical tin, check Firepower chassis (FXOS)

https://www.cisco.com/c/en/us/td/docs/security/asa/fxos/config/asa-2100-fxos-config/intro.html

Re: Can't change Management Interface FPR 2130

korkomando — Thu, 19 Jan 2023 16:36:21 GMT

To clarify, we have FMC running on a virtual machine and our Firewalls are physical. If I understand this documentation correctly, I can choose to run the Firewalls with an ASA operating system or run them with our current Threat Defense operating system. Considering that we spent a lot of money on FMC and Threat Defense licenses, I would like to find a solution where I can continue to use Threat Defense. Please correct me if I'm wrong.

Re: Can't change Management Interface FPR 2130

Marvin Rhoads — Thu, 19 Jan 2023 17:22:00 GMT

You can make this change as long as your Firepower release is 6.7 or higher. Can you verify your version of FMC and FTD, preferably with screen shot to confirm.

You need to make changes in the Interface, Manager access tab and well as in the Device (Management widget), both in FMC.

Re: Can't change Management Interface FPR 2130

korkomando — Wed, 15 Feb 2023 19:44:15 GMT

Sorry for the late response; this was our solution. I was under the incorrect assumption that FMC will update FPRs to the most recent version release. However, from what I read on your replies on other threads, it doesn't update past a major version release (we were stuck on 6.5) and that it would need to be manually staged.

To add to my confusion, I couldn't track down any cisco documentation stating that you needed 6.7 or above to make this change, I could only find documentation stating how to perform the configuration change on the 6.7 version documentation.

Thanks for the expedient responses. The issue is fixed and I learned a valuable lesson in making assumptions.

Re: Can't change Management Interface FPR 2130

korkomando — Wed, 22 Mar 2023 16:28:56 GMT

Marvin,

Not sure if this should be a new post but I'll write it here:

I'm facing a new issue where only one of the 2130s is using the it's newly assigned data-interface for management traffic. After switching everything over I kept the management port connection plugged in as it was a hassle to physically reach them. Later on when I was configuring a site-to-site VPN I was encountering a problem where traffic couldn't get across despite packet tracer and the 2130's CLI output both stating that the tunnel was up/active.

This led me to finally unplugging the management port connection during troubleshooting and I noticed that 3 out of the 4 (two separate tunnels, not HA) become unreachable when the management port is unplugged despite seeing link lights active.

After combing through the troubleshooting files I noticed a difference between the one working and the 3 that don't:

Working 2130 output:

Output of /usr/local/sf/bin/sfcli.pl show network: ===============[ System Information ]=============== Hostname : SiteA-FTD1 DNS Servers : 192.168.1.100 192.169.1.100 DNS from router : disabled Management port : 8305 IPv4 Default route Gateway : 192.168.200.1 Netmask : 0.0.0.0 ==================[ management0 ]=================== State : Enabled Link : Up Channels : Management & Events Mode : Non-Autonegotiation MDI/MDIX : Auto/MDIX MTU : 1500 MAC Address : x:A5:00 ----------------------[ IPv4 ]---------------------- Configuration : Manual Address : 192.168.200.3 Netmask : 255.255.255.0 Gateway : 192.168.200.1 ----------------------[ IPv6 ]---------------------- Configuration : Disabled ===============[ Proxy Information ]================ State : Disabled Authentication : Disabled ======[ System Information - Data Interfaces ]====== DNS Servers : Interfaces : Ethernet1/2 ==================[ Ethernet1/2 ]=================== State : Enabled Link : Up Name : Internal1 MTU : 1500 MAC Address : x:A5:25 ----------------------[ IPv4 ]---------------------- Configuration : Manual Address : 192.168.200.5 Netmask : 255.255.255.0 ----------------------[ IPv6 ]---------------------- Configuration : Disabled

Non working 2130s:

Output of /usr/local/sf/bin/sfcli.pl show network: ===============[ System Information ]=============== Hostname : SiteA-FTD2 DNS Servers : 192.168.1.100 192.169.1.100 DNS from router : disabled Management port : 8305 IPv4 Default route Gateway : 192.168.200.1 Netmask : 0.0.0.0 ==================[ management0 ]=================== State : Enabled Link : Up Channels : Management & Events Mode : Non-Autonegotiation MDI/MDIX : Auto/MDIX MTU : 1500 MAC Address : x:17:80 ----------------------[ IPv4 ]---------------------- Configuration : Manual Address : 192.168.200.4 Netmask : 255.255.255.0 Gateway : 192.168.200.1 ----------------------[ IPv6 ]---------------------- Configuration : Disabled ===============[ Proxy Information ]================ State : Disabled Authentication : Disabled ======[ System Information - Data Interfaces ]====== DNS Servers : Interfaces : Ethernet1/2 ==================[ Ethernet1/2 ]=================== State : Enabled Link : Up Name : Internal1 MTU : 1500 MAC Address : x:17:A5 ----------------------[ IPv4 ]---------------------- Configuration : Manual Address : 192.168.200.4 Netmask : 255.255.255.0 ----------------------[ IPv6 ]---------------------- Configuration : Disabled

Output of /usr/local/sf/bin/sfcli.pl show network: ===============[ System Information ]=============== Hostname : SiteB-FTD1 DNS Servers : 192.168.1.100 192.169.1.100 DNS from router : disabled Management port : 8305 IPv4 Default route Gateway : 192.169.200.1 Netmask : 0.0.0.0 ==================[ management0 ]=================== State : Enabled Link : Up Channels : Management & Events Mode : Non-Autonegotiation MDI/MDIX : Auto/MDIX MTU : 1500 MAC Address : x:41:80 ----------------------[ IPv4 ]---------------------- Configuration : Manual Address : 192.169.200.5 Netmask : 255.255.255.0 Gateway : 192.169.200.1 ----------------------[ IPv6 ]---------------------- Configuration : Disabled ===============[ Proxy Information ]================ State : Disabled Authentication : Disabled ======[ System Information - Data Interfaces ]====== DNS Servers : Interfaces : Ethernet1/2 ==================[ Ethernet1/2 ]=================== State : Enabled Link : Up Name : Internal1 MTU : 1500 MAC Address : x:41:A5 ----------------------[ IPv4 ]---------------------- Configuration : Manual Address : 192.169.200.5 Netmask : 255.255.255.0 ----------------------[ IPv6 ]---------------------- Configuration : Disabled

Output of /usr/local/sf/bin/sfcli.pl show network: ===============[ System Information ]=============== Hostname : SiteB-FTD2 DNS Servers : 192.168.1.100 192.169.1.100 DNS from router : disabled Management port : 8305 IPv4 Default route Gateway : 192.169.1.1 Netmask : 0.0.0.0 ==================[ management0 ]=================== State : Enabled Link : Up Channels : Management & Events Mode : Non-Autonegotiation MDI/MDIX : Auto/MDIX MTU : 1500 MAC Address : x:FD:80 ----------------------[ IPv4 ]---------------------- Configuration : Manual Address : 192.169.200.4 Netmask : 255.255.255.0 Gateway : 192.169.200.1 ----------------------[ IPv6 ]---------------------- Configuration : Disabled ===============[ Proxy Information ]================ State : Disabled Authentication : Disabled ======[ System Information - Data Interfaces ]====== DNS Servers : Interfaces : Ethernet1/2 ==================[ Ethernet1/2 ]=================== State : Enabled Link : Up Name : Internal1 MTU : 1500 MAC Address : x:FD:A5 ----------------------[ IPv4 ]---------------------- Configuration : Manual Address : 192.169.200.4 Netmask : 255.255.255.0 ----------------------[ IPv6 ]---------------------- Configuration : Disabled

The working one initially had the .3 address before we switched it over to a data-interface for management (after which we gave it the .5). The other 3 we kept the same address after switching from management to data.

Tomorrow I am going to attempt changing the address again to see if it will help it switch it over. My question is, 1) is that the correct thing to do and 2) Should I go out of my way to disable the management port? How would one do that? I assume disabling diagnostic0 from FMC isn't the same as disabling the management port.