topic Re: FTD not registering to FMC in Network Security

FTD not registering to FMC

wazzfi — Thu, 15 Aug 2024 06:33:20 GMT

FTD: 3130

FMC: 1700

FMC on-net and in HA with databases synchonised. Time set correctly.

FTD management interface is on the same subnet as FMC. Only interface connected is management interface.

FTD can ping FMC and FMC can ping FTD.

Try to add FTD as a device to FMC and it times out.

Registration timed out. Please check connectivity and registration id

Time on FTD is configured with NTP but that connectivity isnt there yet, so time is incorrect. Is this the issue? If so - how do you statically define a time on the FTD to allow it to join the FMC?

Thanks in advance.

Re: FTD not registering to FMC

Mark Elsen — Thu, 15 Aug 2024 06:46:15 GMT

- FYI : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwe84715

Re: FTD not registering to FMC

Rob Ingram — Thu, 15 Aug 2024 06:48:25 GMT

@wazzfi check the logs, that will confirm the issue.

From the CLI of the FTD enter expert mode
Enter the command sudo tail -f /ngfw/var/logs/messages

You can check if the registration details are correct using

sudo tail -f /etc/sf/sftunnel.conf

What version of FMC and FTD are you running? The FMC has to support the version the FTD is running, the FTD cannot be a newer version than the FMC is running.

Re: FTD not registering to FMC

wazzfi — Thu, 15 Aug 2024 07:08:27 GMT

Thanks Rob

Is there a recommended version at the moment? Is there a compatibility matrix I need to follow or is simply having the FMC higher than the FTD be sufficient?

Re: FTD not registering to FMC

Rob Ingram — Thu, 15 Aug 2024 07:34:20 GMT

@wazzfi the FTD just cannot be a higher/newer version than the FMC. For the 3130 7.2.8 is the current recommended version, else 7.4.2.

Re: FTD not registering to FMC

wazzfi — Sun, 18 Aug 2024 22:56:00 GMT

OK so the FMC is now running 7.4.2 and the FTD is running 7.2.3.

Aug 18 22:43:19 <hostnmae> SF-IMS[77287]: [77314] sftunneld:sf_connections [INFO] Start connection to : <FMC IP> (wait 80 seconds is up)
Aug 18 22:43:19 <hostnmae> SF-IMS[77287]: [2752] sftunneld:sf_peers [INFO] Peer <FMC IP> needs a single connection
Aug 18 22:43:19 <hostnmae> SF-IMS[77287]: [2752] sftunneld:sf_ssl [INFO] Connect to <FMC IP> on port 8305 - management0
Aug 18 22:43:19 <hostnmae> SF-IMS[77287]: [2752] sftunneld:sf_ssl [INFO] Initiate connection using resolved_ip_list having [1] entries (via management0)
Aug 18 22:43:19 <hostnmae> SF-IMS[77287]: [2752] sftunneld:sf_ssl [INFO] Initiate IPv4 type connection
Aug 18 22:43:19 <hostnmae> SF-IMS[77287]: [2752] sftunneld:sf_ssl [INFO] Initiate IPv4 connection from resolved_ip_list to <FMC IP> (via management0)
Aug 18 22:43:19 <hostnmae> SF-IMS[77287]: [2752] sftunneld:sf_ssl [INFO] Initiating IPv4 connection to <FMC IP>:8305/tcp
Aug 18 22:43:19 <hostnmae> SF-IMS[77287]: [2752] sftunneld:sf_ssl [INFO] Wait to connect to 8305 (IPv4): <FMC IP>
Aug 18 22:43:19 <hostnmae> SF-IMS[77287]: [2752] sftunneld:sf_ssl [INFO] Connect to <FMC IP> failed on port 8305 socket 8 (Connection refused)
Aug 18 22:43:19 <hostnmae> SF-IMS[77287]: [2752] sftunneld:sf_ssl [INFO] No IPv4 connection to <FMC IP>
Aug 18 22:43:19 <hostnmae> SF-IMS[77287]: [2752] sftunneld:sf_ssl [INFO] Initiate IPv4 type connection
Aug 18 22:43:19 <hostnmae> SF-IMS[77287]: [2752] sftunneld:sf_ssl [INFO] Connect to <FMC IP> on port 8305 - tap_nlp
Aug 18 22:43:19 <hostnmae> SF-IMS[77287]: [2752] sftunneld:sf_ssl [INFO] Initiate connection using resolved_ip_list having [1] entries (via tap_nlp)
Aug 18 22:43:19 <hostnmae> SF-IMS[77287]: [2752] sftunneld:sf_ssl [INFO] Initiate IPv4 type connection
Aug 18 22:43:19 <hostnmae> SF-IMS[77287]: [2752] sftunneld:sf_ssl [INFO] Initiate IPv4 connection from resolved_ip_list to <FMC IP> (via tap_nlp)
Aug 18 22:43:19 <hostnmae> SF-IMS[77287]: [2752] sftunneld:sf_ssl [INFO] Initiating IPv4 connection to <FMC IP>:8305/tcp
Aug 18 22:43:19 <hostnmae> SF-IMS[77287]: [2752] sftunneld:sf_ssl [INFO] Wait to connect to 8305 (IPv4): <FMC IP>
Aug 18 22:43:27 <hostnmae> SF-IMS[70449]: [70677] SFDataCorrelator:adi.subscriber [INFO] GRPC-Client Session Directory connects to host unix:///tmp/vdi.socket
Aug 18 22:43:36 <hostnmae> SF-IMS[70449]: [70677] SFDataCorrelator:adi.subscriber [INFO] GRPC-Client Session Directory connects to host unix:///tmp/vdi.socket
Aug 18 22:43:39 <hostnmae> SF-IMS[77287]: [2752] sftunneld:sf_ssl [ERROR] Unable to connect to port 8305 (IPv4): Operation now in progress
Aug 18 22:43:39 <hostnmae> SF-IMS[77287]: [2752] sftunneld:sf_ssl [INFO] No IPv4 connection to <FMC IP>
Aug 18 22:43:39 <hostnmae> SF-IMS[77287]: [2752] sftunneld:sf_ssl [INFO] Initiate IPv4 type connection
Aug 18 22:43:39 <hostnmae> SF-IMS[77287]: [2752] sftunneld:sf_ssl [WARN] Unable to connect to peer '<FMC IP>'
Aug 18 22:43:39 <hostnmae> SF-IMS[77287]: [2752] sftunneld:sf_ssl [INFO] reconnect to peer '<FMC IP>' in 80 seconds

and seems like the manager details arent written into the database?

sudo tail -f /etc/sf/sftunnel.conf
Password:
};
peers_registered
{
}
peers_pending
{
}
peers_routed
{
}

Re: FTD not registering to FMC

Rob Ingram — Mon, 19 Aug 2024 05:09:00 GMT

@wazzfi you added the command configure manager add <ip address> <key>? If you then run the command show managers it should show the configuration.

Take a tcpdump from the FMC side, filter on the IP address of the FTD and see what communication there is when you attempt to register the FTD from the FMC GUI.

Is the FMC behind a NAT and another firewall that could be affecting the communication?

Re: FTD not registering to FMC

Marvin Rhoads — Mon, 19 Aug 2024 05:23:59 GMT

You are adding at both ends, correct? i.e., "configure manager add..." at FTD and adding the FTD management IP via the FMC GUI.

Re: FTD not registering to FMC

wazzfi — Mon, 19 Aug 2024 05:31:37 GMT

Hi team.

Thank you for all of the support.

Issue is fixed - I added the nat reference at the end of the "configure manager add..." statement and it worked. I dont know why but it did. Perhaps because the FW is in routed mode?

Thank you again.

Re: FTD not registering to FMC

MHM Cisco World — Mon, 19 Aug 2024 19:36:47 GMT

hi friend can you more elaborate your solution
if both ftd and fmc same subnet so there is no need NAT

or I am wrong

MHM

Re: FTD not registering to FMC

wazzfi — Mon, 19 Aug 2024 21:41:59 GMT

100% do not disagree with you, mate. The FMC and FTD MGMT interfaces were in the same subnets. They refused to work until I added the NAT key. I saw this in another online post and tried it out.

Re: FTD not registering to FMC

MHM Cisco World — Mon, 19 Aug 2024 21:52:12 GMT

maybe you use dhcp in one of them ?

this can explain the NAT keyword

Re: FTD not registering to FMC

wazzfi — Mon, 19 Aug 2024 22:12:51 GMT

Na didnt use DHCP, static IPs configured on MGMT interface.