topic Re: FTD to remote FMC register problem in Network Security

FTD to remote FMC register problem

sherali mamatkarimov — Wed, 17 Jan 2024 19:01:21 GMT

i am trying to register my FTD to my remote FMC by this guide with manual method

https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/fp2100/firepower-2100-gsg/ftd-fmc-remote.html#task_imq_yw3_b3b

but when i am adding my FTD to FMC i got error Registration timed out. Please check connectivity and registration id

I have configured outside static ip address in FTD as managment interface and also registration id and nat id. FMC is behind the nat and I can ping FTD outside ip.

On FTD i configured manager with command "configure manager add DONTRESOLVE secret123 natid123" as i dont have directly access to FMC. I tried to registrer FTD with IP and NAT ID both, without IP only with NAT ID and also without NAT ID only with static IP but everytime fails. Can you help me?

Re: FTD to remote FMC register problem

Rob Ingram — Wed, 17 Jan 2024 19:05:29 GMT

@sherali mamatkarimov check the logs from the from the CLI of the FTD enter expert mode and enter the command sudo tail -f /ngfw/var/logs/messages

tcp/8305 is allowed inbound/outbound to/from the FMC?

Re: FTD to remote FMC register problem

sherali mamatkarimov — Wed, 17 Jan 2024 19:10:47 GMT

Jan 17 19:06:01 fpr-02 sudo: pam_ldap: ldap_simple_bind Can't contact LDAP server
Jan 17 19:06:01 fpr-02 sudo: pam_ldap: reconnecting to LDAP server...
Jan 17 19:06:01 fpr-02 sudo: pam_ldap: ldap_simple_bind Can't contact LDAP server
Jan 17 19:06:04 fpr-02 sudo: pam_radius_auth: Could not open configuration file /etc/raddb/server: No such file or directory
Jan 17 19:06:04 fpr-02 sudo: pam_ldap: ldap_simple_bind Can't contact LDAP server
Jan 17 19:06:04 fpr-02 sudo: pam_ldap: reconnecting to LDAP server...
Jan 17 19:06:04 fpr-02 sudo: pam_ldap: ldap_simple_bind Can't contact LDAP server
Jan 17 19:06:05 fpr-02 sudo: root : PWD=/opt/cisco/csp/applications ; USER=root ; COMMAND=/usr/bin/pgrep -x snort
Jan 17 19:06:05 fpr-02 sudo: root : PWD=/opt/cisco/csp/applications ; USER=root ; COMMAND=/usr/bin/pgrep -x sfhassd
Jan 17 19:06:07 fpr-02 sudo: admin : TTY=ttyS0 ; PWD=/ ; USER=root ; COMMAND=/usr/bin/tail -f /ngfw/var/log/messages

Jan 17 19:06:09 fpr-02 SF-IMS[8503]: [8730] SFDataCorrelator:adi.subscriber [INFO] GRPC-Client Session Directory connects to host unix:///tmp/vdi.socket
Jan 17 19:06:18 fpr-02 SF-IMS[8503]: [8730] SFDataCorrelator:adi.subscriber [INFO] GRPC-Client Session Directory connects to host unix:///tmp/vdi.socket

Jan 17 19:06:29 fpr-02 SF-IMS[8503]: [8730] SFDataCorrelator:adi.subscriber [INFO] GRPC-Client Session Directory connects to host unix:///tmp/vdi.socket

Jan 17 19:06:38 fpr-02 SF-IMS[8503]: [8730] SFDataCorrelator:adi.subscriber [INFO] GRPC-Client Session Directory connects to host unix:///tmp/vdi.socket

Jan 17 19:06:49 fpr-02 SF-IMS[8503]: [8730] SFDataCorrelator:adi.subscriber [INFO] GRPC-Client Session Directory connects to host unix:///tmp/vdi.socket
Jan 17 19:07:00 fpr-02 SF-IMS[8503]: [8730] SFDataCorrelator:adi.subscriber [INFO] GRPC-Client Session Directory connects to host unix:///tmp/vdi.socket
Jan 17 19:07:09 fpr-02 SF-IMS[8503]: [8730] SFDataCorrelator:adi.subscriber [INFO] GRPC-Client Session Directory connects to host unix:///tmp/vdi.socket
Jan 17 19:07:11 fpr-02 sudo: root : PWD=/opt/cisco/csp/applications ; USER=root ; COMMAND=/usr/bin/pgrep -x snort
Jan 17 19:07:11 fpr-02 sudo: root : PWD=/opt/cisco/csp/applications ; USER=root ; COMMAND=/usr/bin/pgrep -x sfhassd
Jan 17 19:07:21 fpr-02 SF-IMS[8503]: [8730] SFDataCorrelator:adi.subscriber [INFO] GRPC-Client Session Directory connects to host unix:///tmp/vdi.socket
Jan 17 19:07:33 fpr-02 SF-IMS[8503]: [8730] SFDataCorrelator:adi.subscriber [INFO] GRPC-Client Session Directory connects to host unix:///tmp/vdi.socket
Jan 17 19:07:44 fpr-02 SF-IMS[8503]: [8730] SFDataCorrelator:adi.subscriber [INFO] GRPC-Client Session Directory connects to host unix:///tmp/vdi.socket
Jan 17 19:07:55 fpr-02 SF-IMS[8503]: [8730] SFDataCorrelator:adi.subscriber [INFO] GRPC-Client Session Directory connects to host unix:///tmp/vdi.socket
Jan 17 19:08:05 fpr-02 SF-IMS[8503]: [8730] SFDataCorrelator:adi.subscriber [INFO] GRPC-Client Session Directory connects to host unix:///tmp/vdi.socket
Jan 17 19:08:07 fpr-02 sudo: root : PWD=/opt/cisco/csp/applications ; USER=root ; COMMAND=/usr/bin/pgrep -x snort
Jan 17 19:08:07 fpr-02 sudo: root : PWD=/opt/cisco/csp/applications ; USER=root ; COMMAND=/usr/bin/pgrep -x sfhassd
Jan 17 19:08:13 fpr-02 SF-IMS[8503]: [8730] SFDataCorrelator:adi.subscriber [INFO] GRPC-Client Session Directory connects to host unix:///tmp/vdi.socket
Jan 17 19:08:23 fpr-02 SF-IMS[8503]: [8730] SFDataCorrelator:adi.subscriber [INFO] GRPC-Client Session Directory connects to host unix:///tmp/vdi.socket
Jan 17 19:08:34 fpr-02 SF-IMS[8503]: [8730] SFDataCorrelator:adi.subscriber [INFO] GRPC-Client Session Directory connects to host unix:///tmp/vdi.socket
Jan 17 19:08:46 fpr-02 SF-IMS[8503]: [8730] SFDataCorrelator:adi.subscriber [INFO] GRPC-Client Session Directory connects to host unix:///tmp/vdi.socket
Jan 17 19:08:55 fpr-02 SF-IMS[8503]: [8730] SFDataCorrelator:adi.subscriber [INFO] GRPC-Client Session Directory connects to host unix:///tmp/vdi.socket

Here is log

Should i add from any to any allow to port 8305 is it unsafe? And should i close 8305 after registring?

Re: FTD to remote FMC register problem

Rob Ingram — Wed, 17 Jan 2024 19:12:48 GMT

@sherali mamatkarimov you have to leave tcp/8305 that is how the FMC and FTD communicate to deploy policy and send event logs etc. You could limit the communication on the FTD in front of the FMC to restrict communication to the FMC from known networks. The communication over tcp/8305 is encrypted.

Re: FTD to remote FMC register problem

sherali mamatkarimov — Wed, 17 Jan 2024 19:15:31 GMT

i have opened 8305 port from anywhere to anywhere but still fails here is my netstat from FMC

And here from FTD

Re: FTD to remote FMC register problem

Rob Ingram — Wed, 17 Jan 2024 19:19:16 GMT

@sherali mamatkarimov you need to check the firewall logs of the FTD protecting the FMC and confirm traffic is or is not permitted. You can use the capture-traffic command and filter on tcp/8305 to confirm the communication.

Re: FTD to remote FMC register problem

sherali mamatkarimov — Wed, 17 Jan 2024 19:25:03 GMT

there is not connections with port 8305 how can i permit it from CLI?

Re: FTD to remote FMC register problem

MHM Cisco World — Wed, 17 Jan 2024 19:30:11 GMT

what is interface you use to register FTD to FMC ?
Mgmt or OUTside data interface ?

MHM

Re: FTD to remote FMC register problem

Rob Ingram — Wed, 17 Jan 2024 19:30:11 GMT

@sherali mamatkarimov You do not permit from the CLI. You define the manager on the CLI (as you already appear to have done) and then from the FMC you register the device and communication is established. Example - https://integratingit.wordpress.com/2018/10/20/ftd-registration-with-fmc/

Have you checked the firewall logs of the FTD in front of the FMC to confirm the traffic is being permitted?

Re: FTD to remote FMC register problem

sherali mamatkarimov — Wed, 17 Jan 2024 19:32:08 GMT

Outside interface

Re: FTD to remote FMC register problem

MHM Cisco World — Wed, 17 Jan 2024 19:37:50 GMT

Perfect
are the FMC IP you use is behind NAT?
MHM

Re: FTD to remote FMC register problem

sherali mamatkarimov — Wed, 17 Jan 2024 19:40:29 GMT

Yes FMC IP is behind NAT

Re: FTD to remote FMC register problem

MHM Cisco World — Wed, 17 Jan 2024 19:44:30 GMT

> configure manager add DONTRESOLVE Cisco-123 nat123

then try this in FTD using key and NAT ID
MHM

Re: FTD to remote FMC register problem

MHM Cisco World — Wed, 17 Jan 2024 19:46:18 GMT

> configure manager add DONTRESOLVE Cisco-123 nat123

use this in FTD and check
MHM

Re: FTD to remote FMC register problem

sherali mamatkarimov — Wed, 17 Jan 2024 20:02:58 GMT

I have configured as you have write but fails, i have added FTD without IP address but with register and nat id

Re: FTD to remote FMC register problem

MHM Cisco World — Wed, 17 Jan 2024 20:05:57 GMT

One side must not use IP here fmc behind NAT so did you try above command ? Dis you use same key and NAT-ID in fmc side ?

MHM

Re: FTD to remote FMC register problem

sherali mamatkarimov — Wed, 17 Jan 2024 20:06:14 GMT

@Rob Ingram написал (-а):
@sherali mamatkarimovYou do not permit from the CLI. You define the manager on the CLI (as you already appear to have done) and then from the FMC you register the device and communication is established. Example - https://integratingit.wordpress.com/2018/10/20/ftd-registration-with-fmc/
Have you checked the firewall logs of the FTD in front of the FMC to confirm the traffic is being permitted?

In that case FTD and FMC are in one subnet, but in my case FMC remote and i cant see capture traffic as i am going to connect to FMC not by managment0 interface

Re: FTD to remote FMC register problem

sherali mamatkarimov — Wed, 17 Jan 2024 20:08:22 GMT

Of course using same key and NAT ID yes i tried do as you have written))

Re: FTD to remote FMC register problem

Rob Ingram — Wed, 17 Jan 2024 20:12:08 GMT

@sherali mamatkarimov you can capture on the FTD traffic in front of the FMC (the firewall that is natting the traffic and permitting the connections), you can system support firewall-engine-debug as you would troubleshooting any other connection issue - https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212474-working-with-firepower-threat-defense-f.html

Or you can run tcpdump on the FMC, you can check the events in the FMC if you filter on the remote FTD.

Re: FTD to remote FMC register problem

MHM Cisco World — Wed, 17 Jan 2024 20:16:05 GMT

then did you use
configure network management-data-interface<<- please read about this command before you apply it
https://www.cisco.com/c/en/us/td/docs/security/firepower/670/configuration/guide/fpmc-config-guide-v67/device_management_basics.html

again read about this command before apply
thanks
MHM