topic FTD: Unable to reach FQDNs in the Internet in Network Security

FTD: Unable to reach FQDNs in the Internet

swscco001 — Tue, 10 Dec 2024 08:48:50 GMT

Hello everybody,

our customer has 1 cluster of two Firepower 1120 running rel. 7.4.2.1
managed by the FMCv running rel. 7.4.2.1 too.

The Health Monitor shows the error message:
Cisco Cloud Configuration - Unable to reach Cisco Cloud from the device. Please check the network connection..
for both devices.

The firewalls can resolve FQDNs in th Internet:

admin@firepower:~$ nslookup api-sse.cisco.com Server: 192.168.100.25 Address: 192.168.100.25#53 Non-authoritative answer: api-sse.cisco.com canonical name = api-sse.cisco.com.akadns.net. Name: api-sse.cisco.com.akadns.net Address: 54.166.161.63 Name: api-sse.cisco.com.akadns.net Address: 3.82.76.181 Name: api-sse.cisco.com.akadns.net Address: 2600:1f18:56c:200a:48c5:ffc1:9e69:b18a Name: api-sse.cisco.com.akadns.net Address: 2600:1f18:56c:200b:d1e:17aa:513b:e947

It can ping IP addresses in the Internet:

> ping 8.8.8.8 Please use 'CTRL+C' to cancel/abort... Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

But when I try to ping FQDNs in the Internet the ping responds with "U" (unreachable):

> ping intelligence.sourcefire.com Please use 'CTRL+C' to cancel/abort... Sending 5, 100-byte ICMP Echos to 2620:28:c000:0:aba:ca:daba:58, timeout is 2 seconds: UUUUU Success rate is 0 percent (0/5) > ping www.google.com Please use 'CTRL+C' to cancel/abort... Sending 5, 100-byte ICMP Echos to 2a00:1450:4016:80c::2004, timeout is 2 seconds: UUUUU Success rate is 0 percent (0/5)

What is going wrong here?

Every hint is welcome.

Thanks a lot!

Bye
Rene

Re: FTD: Unable to reach FQDNs in the Internet

MHM Cisco World — Tue, 10 Dec 2024 08:56:14 GMT

Show network <<- in ftd' check dns server you add

Remember this dns not for user traffic it for ftd.

MHM

Re: FTD: Unable to reach FQDNs in the Internet

Rob Ingram — Tue, 10 Dec 2024 09:29:33 GMT

@swscco001 you are pinging from the data interface, have you configured the DNS servers in the Platform Settings Policy which is assigned to that FTD cluster? https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/740/management-center-device-config-74/interfaces-settings-platform.html#id_74914

Re: FTD: Unable to reach FQDNs in the Internet

swscco001 — Wed, 11 Dec 2024 08:50:19 GMT

Hi Rob,

thanks for your reply!

Every other customer get the error message of missing access of the firewalls to the
Cisco cloud 😞

I followed the Cisco guide:
https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/217616-troubleshoot-cisco-cloud-configuration.html

I used the DNS server 192.168.100.25 that I found in the Platform Settings of the FMC
for the configuration of the network of the Firewall CLI.

> show network ===============[ System Information ]=============== Hostname : firepower DNS Servers : 8.8.8.8 192.168.100.25 208.68.222.222 DNS from router : disabled Management port : 8305 IPv4 Default route Gateway : 192.168.18.254 ...

This was used when I try a nslookup:

dmin@firepower:~$ nslookup api-sse.cisco.com Server: 192.168.100.25 Address: 192.168.100.25#53 Non-authoritative answer: api-sse.cisco.com canonical name = api-sse.cisco.com.akadns.net. Name: api-sse.cisco.com.akadns.net Address: 54.166.161.63 Name: api-sse.cisco.com.akadns.net Address: 3.82.76.181 Name: api-sse.cisco.com.akadns.net Address: 2600:1f18:56c:200a:48c5:ffc1:9e69:b18a Name: api-sse.cisco.com.akadns.net Address: 2600:1f18:56c:200b:d1e:17aa:513b:e947

I can ping IP-Adresses in the Internet:

> ping 208.67.222.222 Please use 'CTRL+C' to cancel/abort... Sending 5, 100-byte ICMP Echos to 208.67.222.222, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 10/12/20 ms

But at FQDNs I get back "U" (unreachable), and no ".":

> ping api-sse.cisco.com Please use 'CTRL+C' to cancel/abort... Sending 5, 100-byte ICMP Echos to 2600:1f18:56c:200b:d1e:17aa:513b:e947, timeout is 2 seconds: UUUUU Success rate is 0 percent (0/5) > ping www.google.com Please use 'CTRL+C' to cancel/abort... Sending 5, 100-byte ICMP Echos to 2a00:1450:4016:80c::2004, timeout is 2 seconds: UUUUU Success rate is 0 percent (0/5)

This is hard to understand.

Do you have any explanation?

Thanks a lot!

Bye
R.

Re: FTD: Unable to reach FQDNs in the Internet

Rob Ingram — Wed, 11 Dec 2024 09:31:34 GMT

@swscco001 "show network" is showing information related to the mgmt interface (not the data interface). You are pinging from the data interface. If you have the mgmt interface connected, you run a ping using the command "ping system <fqdn>".

So are you saying you do have a Platform Setting policy that is applied to this FTD? Can the FTD reach the DNS server 192.168.100.25 via it's data interface?

Re: FTD: Unable to reach FQDNs in the Internet

swscco001 — Wed, 11 Dec 2024 13:36:13 GMT

Hi Rob,

with your hints I could bring the traffic from the management-IF through a firewall to the Internet and the error message in the FMC disappeared.

Thanks a lot!

Bye
R.

Re: FTD: Unable to reach FQDNs in the Internet

MHM Cisco World — Wed, 11 Dec 2024 14:07:23 GMT

what was problem ? and what is solution?
it seem that the DNS is missing from mgmt interface, or I am wrong ?

MHM