topic FTD Won’t Register to FMC After Upgrade? Check TLS Settings in Network Security

FTD Won’t Register to FMC After Upgrade? Check TLS Settings

Alain Nohra — Sun, 23 Nov 2025 15:09:58 GMT

Hi All,

After certain FMC and FTD upgrades, it is possible to encounter a situation where the FTD fails to register back to the FMC even though all connectivity checks appear normal. FMC and FTD can reach each other, port 443 is open, and the sftunnel process shows as UP on both sides. Despite this, the registration may remain stuck during the discovery phase for an extended period (sometimes 30 minutes or more) before ultimately failing. In many cases, FMC may also report the error “Could not establish sftunnel connection” even though the tunnel is active.

A deeper inspection using pigtail traces during the registration attempt typically reveals a repeating error on both FMC and FTD:

SSL Handshake failed

This indicates that the issue is not related to basic IP reachability or routing, but rather to a failure during the TLS negotiation phase of the sftunnel.
It is important to note that the sftunnel communication between FMC and FTD uses TCP port 8305 on the FMC side. Even if this port is reachable and the tunnel comes up, the registration can still fail if the TLS parameters do not match.

In the observed scenario, the root cause was a TLS version mismatch in the sftunnel configuration files. After the upgrade, the FMC was configured to enforce TLS 1.2, while the FTD was using TLS 1.3. This mismatch causes the SSL handshake to fail silently, preventing the discovery phase from progressing even though sftunnel is operational.

To resolve this issue, the sftunnel.conf file on both the FMC and FTD should be inspected from expert mode:

vim /etc/sf/sftunnel.conf

Inside the proxyssl section, the FTD may show an entry such as:

proxy_tls_version TLSv1.3;

This needs to be aligned with the FMC setting, typically:

proxy_tls_version TLSv1.2;

Once the TLS version is corrected to match the FMC, saving the file and restarting the sftunnel service allows the registration process to complete successfully.

In summary, when FMC–FTD registration fails after an upgrade—especially when connectivity, reachability, and sftunnel status appear normal—verify that both devices use the same TLS version in:

/etc/sf/sftunnel.conf

Ensuring TLS alignment resolves the SSL handshake failure and allows the FTD to register with the FMC without further issues. This check is particularly useful when port 8305 is open and the tunnel indicates an UP state, yet registration continues to fail.

Hope this saves someone hours of troubleshooting!

Re: FTD Won’t Register to FMC After Upgrade? Check TLS Settings

Marvin Rhoads — Mon, 24 Nov 2025 03:04:49 GMT

What versions of FMC and FTDv displayed this behavior for you?

Re: FTD Won’t Register to FMC After Upgrade? Check TLS Settings

Alain Nohra — Mon, 24 Nov 2025 09:16:15 GMT

i faced the same issue twice, when upgrading the FTD from 7.0.x to 7.2.x and currently i faced it when i upgraded the FMC to 7.6.2 and the FTD to 7.4.2 (FTD model: 2130)

Re: FTD Won’t Register to FMC After Upgrade? Check TLS Settings

Marvin Rhoads — Mon, 24 Nov 2025 11:23:45 GMT

Thanks for that info @Alain Nohra . FWIW I have upgraded many, many FMCs and FTDs and have not encountered the behavior you are describing. It sounds like a bug and I am wondering if there are certain conditions that trigger it.

Re: FTD Won’t Register to FMC After Upgrade? Check TLS Settings

Alain Nohra — Mon, 24 Nov 2025 13:03:29 GMT

Thanks for the follow-up, Marvin.
The first occurrence of this behavior was observed last year during an upgrade from FTD 7.0.x to 7.2.x. After extensive troubleshooting and eliminating all the usual causes—reachability, sftunnel status, certificates, ports, and pigtail traces—the TLS mismatch was identified in the sftunnel.conf files. Adjusting the TLS version so both FMC and FTD matched resolved the issue immediately, without the need to open a TAC case at that time.

A second occurrence took place very recently with a customer deployment. The FMC was running 7.6.2, while the FTD (2130 appliance) was upgraded from 7.2.5 to 7.4.2. After the upgrade, the FTD consistently failed to register. A TAC case was opened, and a total of six Cisco engineers joined the session, but the problem did not reveal itself through standard diagnostics—sftunnel was up, FMC reachable, certificate paths intact, and no obvious network or policy issues.

Based on the previous experience, the suggestion was made to check the TLS version within the sftunnel.conf on both FMC and FTD. The FMC was configured for TLS 1.2, while the newly upgraded FTD was using TLS 1.3. After aligning the TLS version on both sides, the registration succeeded immediately.

So although the behavior does not appear to be widespread, it has been observed in different upgrade paths and different code trains (7.0 → 7.2 and 7.2.5 → 7.4.2 on FMC 7.6.2). This suggests that under certain conditions, the TLS configuration in sftunnel.conf may not remain consistent across upgrades, leading to silent SSL handshake failures even when the sftunnel process reports as up.

Re: FTD Won’t Register to FMC After Upgrade? Check TLS Settings

Sheraz.Salim — Mon, 24 Nov 2025 13:41:17 GMT

Thats very interesting observation. thanks for sharing this. I thought initially you having/could be an issue with certificate. but I started looking into it more and yes your issue is not documented in any public domain. hence, I find few so worth sharing it. I also noted the public cisco documentation is mentioned of TLS1.2 but no where TSL1.3

https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center-4600/222464-renewal-of-fmc-sftunnel-ca-certificate-f.html

https://www.cisco.com/c/en/us/support/docs/field-notices/742/fn74214.html