topic Re: FMC and FTDv in Network Security

FMC and FTDv

Felixsson1 — Thu, 17 Aug 2023 23:22:32 GMT

Hi,

I would really appreciate someone's help. I spent too much time and having no clue what's wrong..

I have a setup of simple lab in EVE-NG. I've added a static IP to Firepower6 FMC (version 7.2.0) and works normally. I've tried adding a static IP and over DHCP to Firepower6 FTD (version 6.2.0) and it also works ok. Ping from PC to FTD and FMC goes through. In expert mode both of the devices can ping each other, PC, Google DNS.. But I got stuck with adding the FTD to the FMC. Always after 2min 6sec I get and error saying "FTD-1: Registration timed out. Please check connectivity and registration id".

Connectivity is ok, key is def ok. I've also tried adding a static route to the br1 interface pointing to the FMC but without success.

> show network
===============[ System Information ]===============
Hostname : ftd.local
DNS Servers : 8.8.8.8
4.2.2.2
Management port : 8305
IPv4 Default route
Gateway : 192.168.100.1

======================[ br1 ]=======================
State : Enabled
Channels : Management & Events
Mode : Non-Autonegotiation
MDI/MDIX : Auto/MDIX
MTU : 1500
MAC Address : 00:50:00:00:09:01
----------------------[ IPv4 ]----------------------
Configuration : Manual
Address : 192.168.100.101
Netmask : 255.255.255.0
Broadcast : 192.168.100.255
----------------------[ IPv6 ]----------------------
Configuration : Disabled

===============[ Proxy Information ]================
State : Disabled
Authentication : Disabled

> show interface ip brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 unassigned YES unset administratively down up
GigabitEthernet0/1 unassigned YES unset administratively down up
GigabitEthernet0/2 unassigned YES unset administratively down up
GigabitEthernet0/3 unassigned YES unset administratively down up
Internal-Control0/0 127.0.1.1 YES unset up up
Internal-Data0/0 unassigned YES unset up up
Internal-Data0/0 unassigned YES unset up up
Internal-Data0/1 169.254.1.1 YES unset up up
Management0/0 unassigned YES unset up up

admin@ftd-felix:~$ ifconfig br1
br1 Link encap:Ethernet HWaddr 00:50:00:00:09:01
inet addr:192.168.100.101 Bcast:192.168.100.255 Mask:255.255.255.0
inet6 addr: fe80::250:ff:fe00:901/64 Scope:Link
UP BROADCAST RUNNING MTU:1500 Metric:1
RX packets:1974 errors:0 dropped:0 overruns:0 frame:0
TX packets:1517 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:177519 (173.3 KiB) TX bytes:231782 (226.3 KiB)

I've also tried switching from QEMU Nic tpl(e1000) to e1000, vmxnet3 and few others but again without success. In some of them instead of br1 it's eth0 but still the same issue. What I'm doing wrong?

Re: FMC and FTDv

Marvin Rhoads — Fri, 18 Aug 2023 04:15:10 GMT

When you do "ping system 192.168.100.100" from FTD what do you get?

Also try from expert mode as root user on FTD "telnet 192.168.100.100 8305".

If both of those work, from FMC as root user try "telnet 192.168.100.101 8305".

(The control channel between the two devices uses tcp/8305, initiated from either end for various purposes.)

Re: FMC and FTDv

Felixsson1 — Fri, 18 Aug 2023 08:09:14 GMT

Hi Marvin,

Thanks for the reply.

1.) Ping from FTD to 192.168.100.100 is ok.

2.) Telnet from FTD 192.168.100.100 8305 doesn't work. Says "connection refused".

3.) Telnet from FMC to FTD over TCP 8305 goes through.

EDIT:

On FTD:

admin@ftd-felix:~$ netstat -pan | grep 8305
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 192.168.100.101:8305 0.0.0.0:* LISTEN -

On FMC:

admin@fmc-felix:~$ netstat -pan | grep 8305
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)

Re: FMC and FTDv

Marvin Rhoads — Fri, 18 Aug 2023 10:38:24 GMT

So it appears the sftunnel process on FMC is down or otherwise not listening on tcp/8305. You can try to restart just that process:
pmtool restartbyid sftunnel
...or restart the whole FMC to get it going again. If both those fail, then a TAC case is likely in order.

Re: FMC and FTDv

Felixsson1 — Fri, 18 Aug 2023 12:45:45 GMT

I've tried restarting the process but with no help. Also the same thing with restarting the FMC. TAC case is not an option, don't have a support with this one.

I've tried with 4 different FMC versions and I'm getting the same problem. I can accept it with one or two but on 4 different FMC images versions.. uhh

EDIT: I've found an issue. Sftunnel si running but the .conf file is corrupted.

root@fmc-felix:/Volume/home/admin# pmtool status | grep -i sftunnel
Required by: SFDataCorrelator,UIMP,TSS_Daemon,HostInput_Daemon,sfestreamer,estreamer-sftunnel,fpcollect,Syncd,expire-session,Pruner,fireamp,stunnel,ActionQueueScrape,PerlMessageHandler,update_snort_attrib_table,snapshot_manager,SFTop10Cacher,query_scheduler,VaultApp,HealthAlertServer,EventHandler
sftunnel (system) - Running 5377
Command: /usr/local/sf/bin/sftunnel -d -f /etc/sf/sftunnel.conf
PID File: /var/sf/run/sftunnel.pid
Enable File: /etc/sf/sftunnel.conf
Required by: sfmgr,sfmbservice,estreamer-sftunnel,sfipproxy
Command: /usr/local/sf/bin/sfmgr -d -f /etc/sf/sftunnel.conf
Enable File: /etc/sf/sftunnel.conf
Requires: sftunnel
Command: /usr/local/sf/bin/sfmbservice -d -f /etc/sf/sftunnel.conf
Enable File: /etc/sf/sftunnel.conf
Requires: sfmb,sftunnel
estreamer-sftunnel (normal) - Running 6040
Command: /usr/local/sf/bin/sfestreamer --nodaemon --sftunnel
PID File: /var/sf/run/estreamer-sftunnel.pid
Requires: mysqld,sftunnel
Requires: sftunnel

-rw-r--r-- 1 root root 1474 Aug 17 09:45 sftunnel.conf.CORRUPT

Re: FMC and FTDv

Marvin Rhoads — Fri, 18 Aug 2023 12:50:21 GMT

Perhaps inquire in the EVE-NG forums. I've not had this problem on over 100 FMCs that I've worked with, both virtual and physical.

Re: FMC and FTDv

Felixsson1 — Sat, 19 Aug 2023 00:31:49 GMT

I'll do that. But what is more strange to me about the whole situation is that I've tried with at least 5-6 different versions of FMCs and I've also tried in GNS3 but without luck.

Re: FMC and FTDv

Rob Ingram — Sun, 20 Aug 2023 14:18:27 GMT

@Felixsson1 wrote:

Hi,

I would really appreciate someone's help. I spent too much time and having no clue what's wrong..

I have a setup of simple lab in EVE-NG. I've added a static IP to Firepower6 FMC (version 7.2.0) and works normally. I've tried adding a static IP and over DHCP to Firepower6 FTD (version 6.2.0) and it also works ok. Ping from PC to FTD and FMC goes

@Felixsson1 do you mean FTD version 6.2.0? You cannot manage FTD 6.2.0 with FMC version 7.2. FMC 6.6 is the last version that can manage FTD 6.2.X

Checkout the compatibility guide:- https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/release-notes/threat-defense/720/threat-defense-release-notes-72/requirements.html

Re: FMC and FTDv

Felixsson1 — Tue, 22 Aug 2023 21:52:11 GMT

Hi Rob,

Thank you for the info, I wasn't aware of that. I have them both fully operational. Thanks!