topic Re: Firepower 1010 FQDN resolve issue for CDO in Network Security

Firepower 1010 FQDN resolve issue for CDO

PeyLawro — Fri, 19 Jan 2024 09:34:01 GMT

Moring/Afternoon/Evening all

Been given a Firepower 1010 to setup and we are going to be using it with Cisco Defense Orchestrator but i'm having issues with the device being seen by CDO.

This is likely going to be something simple but i've been looking at it all week and now just blinded i feel.
Nothing fancy in the setup... ISP router set static into interface1/1
will have a printer into one of the interfaces and 2 AP's in the POE interfaces and that is pretty much it.

Testing i've connected an AP and a laptop and both get an IP address from DHCP and access the internet fine but... NTP servers cannot be reached, i've tried default and customs.

Trying to link to the CDO (which is currently trying to claim the device) gives the error "failed to resolve cloud services FQDN. Check network connectivity and DNS config and retry".

Added a few pictures, if you need anything else then let me know and i'll grab it.

I do have a case open with Cisco but with the time difference, i'm trying to see if i can get it resolved as it must be something stupid i'm missing. i did ask the tech if it was anything to do with NAT/Access/Static routing but he said it all was fine...

Thanks for any help with this as its driving me insane.

Re: Firepower 1010 FQDN resolve issue for CDO

MHM Cisco World — Fri, 19 Jan 2024 09:41:47 GMT

failed to resolve cloud services FQDN<<-
can I see show network
show manager
MHM

Re: Firepower 1010 FQDN resolve issue for CDO

PeyLawro — Fri, 19 Jan 2024 10:26:58 GMT

Re: Firepower 1010 FQDN resolve issue for CDO

MHM Cisco World — Fri, 19 Jan 2024 10:31:27 GMT

can you ping these DNS server appear in show network ?
MHM

Re: Firepower 1010 FQDN resolve issue for CDO

PeyLawro — Fri, 19 Jan 2024 10:37:10 GMT

> ping 208.67.222.222
Please use 'CTRL+C' to cancel/abort...
Sending 5, 100-byte ICMP Echos to 208.67.222.222, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/8/10 ms
> ping 208.67.220.220
Please use 'CTRL+C' to cancel/abort...
Sending 5, 100-byte ICMP Echos to 208.67.220.220, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/8/10 ms
> ping 2620:119:35::35
Please use 'CTRL+C' to cancel/abort...
Sending 5, 100-byte ICMP Echos to 2620:119:35::35, timeout is 2 seconds:
No route to host 2620:119:35::35

seems like can't ping the last one

Re: Firepower 1010 FQDN resolve issue for CDO

PeyLawro — Fri, 19 Jan 2024 11:48:09 GMT

Sorted it...
Under "management interface" Use Unique Gateways for the Management Interface was selected.

switched to the other option and now i'm connected up to CDO and greens across the board.

Re: Firepower 1010 FQDN resolve issue for CDO

PeyLawro — Fri, 19 Jan 2024 18:01:30 GMT

that said... now the devices are not getting internet access now... they get an IP address in the DHCP range. CDO can see and has onboarded the FPR1010.

feel like i'm missing something now with routing or access control

Re: Firepower 1010 FQDN resolve issue for CDO

PeyLawro — Tue, 23 Jan 2024 12:21:02 GMT

@MHM Cisco World

any idea's??

got the device back onto CDO using 7.2.5 FTD

Devices are getting an ip address but no internet traffic is going through.
tried changing default action to trust traffic in access control but still no internet traffic.

Re: Firepower 1010 FQDN resolve issue for CDO

AHack210 — Wed, 28 Feb 2024 14:23:31 GMT

From your show managers output It looks like you are using FDM to manage? Or did you use FDM to onboard to cdFMC and that is now the manager?
Also looking at the tshooting above, I would offer the following advice:
To test MANAGEMENT plane internet access and dns resolution, be it using the management port or the data-plane for management default gateway, use the keyword "system". Without "system", you are testing the data-plane's connectivity.
ping system 8.8.8.8
ping system cisco.com