topic Re: You're welcome. in Network Security

Firepower Management center

nasser2002_2005 — Tue, 12 Mar 2019 09:41:58 GMT

Hi everyone,

When i try to add the firepower sensor to FMC it shows this massage (Could not establish a connection with sensor. Make sure the registration keys match, that the software versions are compatible, and that the network is not blocking the connection.)

the registration keys ok , their is ping between the fmc and sensor and the firepower service is version 6.2.0 and the FMC its also 6.2.0 and i install Hotfix A 6.2.0.1 successfully.

sh version

Cisco Adaptive Security Appliance Software Version 9.8(1)
Firepower Extensible Operating System Version 2.2(1.47)
Device Manager Version 7.8(1)

--------------------------------------------------------------------------------------------------

1# session sfr console
Opening console session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.

> show version
---------------------[ gpgsfr ]---------------------
Model : ASA5525 (72) Version 6.2.0 (Build 362)

Rules update version : 2016-03-28-001-vrt
VDB version : 271
----------------------------------------------------

Can you confirm that you can

Marvin Rhoads — Thu, 13 Jul 2017 16:43:11 GMT

Can you confirm that you can ssh from one to the other (FMC to the module and vice versa)?

Also, if there is a firewall between them at all, verify that tcp/8305 is allowed. That is the required port that must be open bidirectionally. You should be able to initiate a telnet connection from either end and specify port 8305 to verify it.

Hi marvin,

nasser2002_2005 — Thu, 13 Jul 2017 19:28:56 GMT

Hi marvin,

there is telnet connection from either. what do you mean about last part (specify port 8305 to verify it)

verify that tcp/8305 is allowed (could you please explain more )

again thank you very mach

i notice that there is no

nasser2002_2005 — Thu, 13 Jul 2017 19:48:01 GMT

i notice that there is no ping petween the fmc and firepower

If there's no ping (icmp),

Marvin Rhoads — Fri, 14 Jul 2017 04:34:50 GMT

If there's no ping (icmp), there's likely no tcp as well.

Fix that issue first. The most common cause is mis-configuration of the networking on the module. The second most common is an intervening network firewall that either blocks the communications or NATs one or the other address.

I mentioned using telnet to check tcp 8305 becasue that is the tcp port that is used between FMC and its managed sensors.

From the bash shell (underlying Linux cli for both FMC and FirePOWER module) you simply start a telnet session and specify the (non-standard for telnet) port 8305. (telnet usually uses tcp/23).

telnet <remote address> 8305

On a FirePOWER module sensor you need to first switch to expert mode to get into the bash shell.

Thank you Mr. Marvin

nasser2002_2005 — Fri, 14 Jul 2017 05:10:55 GMT

Thank you Mr. Marvin

it working now the issue was mis-configuration ,

I have question. shell I register the 2 ASA ( primary and secondary ) on the FMC with different firepower ip .

thank you again .

You're welcome.

Marvin Rhoads — Fri, 14 Jul 2017 05:14:46 GMT

You're welcome.

Yes - each ASA FirePOWER module reuires a unique address and must be individually registered to the managing FMC (and license applied from FMC).

Remember the FirePOWER modules themselves have no knowledge of the ASA HA pair.

We can then logically put them in a device group and, when creating policy, assign both modules to the same policy. That's one of the advantages of using FMC - create one policy and deploy to multiple managed sensors.

man your helping me a lot

nasser2002_2005 — Fri, 14 Jul 2017 05:25:53 GMT

man your helping me a lot

Mr. Marvin

im intern level how I can create policy and assign both modules to the same policy.

could you please explain to me ?

one more thing I have health massage on FMC (Interface 'DataPlaneInterface0' is not receiving any packets) (by the way I did not assign outside ip)

thank you again .

You're welcome.

Marvin Rhoads — Fri, 14 Jul 2017 05:51:31 GMT

You're welcome.

The configuration guide covers setting target devices for an Access Contorl Policy here:

http://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/getting_started_with_access_control_policies.html#ID-2176-000002e6

Dataplane0 is the internal connection between the ASA data path and the FirePOWER module. The dataplane error is most often seen in two conditions:

1. There is no service policy in the ASA redirecting traffic to the FirePOWER module. Make sure you have created and applied one per the following guide:

http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/sfr/firepower-qsg.html#pgfId-150498

2. The secondary ASA in an HA pair is not normally processing any traffic and thus gives us that condition. (The same thing would apply if the whole ASA pair was in a lab or otherwise not processing any traffic through the box.)

Re: You're welcome.

John Roshek — Mon, 12 Mar 2018 15:46:50 GMT

I believe that because Firepower is not HA aware and you have an HA configuration and monitoring Interface dataplane0 you are receiving this error. Do not monitor interface dataplane0 in an HA configuration, the error will disappear.

Re: Can you confirm that you can

Tess238 — Thu, 27 Oct 2022 15:29:51 GMT

is the ssh connection mandatory for FMC to make connection with the sensor?

Re: Can you confirm that you can

Marvin Rhoads — Thu, 27 Oct 2022 18:32:42 GMT

@Tess238 no ssh is needed. We sometimes use it for testing when the required communications are in doubt.

What's required is tcp/8305, initiated from either end. FMC-FTD and vice versa use that port for sftunnel which is used for both management and eventing. At the higher layer it is using TLS 1.2.

Re: Firepower Management center

Chuck Reimer — Fri, 28 Oct 2022 16:48:37 GMT

I've seen issues like this and syncing the time either manually or NTP fixed the issue. Not sure if this would apply in your case

topic Re: You're welcome. in Network Security

Firepower Management center

Cisco Adaptive Security Appliance Software Version 9.8(1)Firepower Extensible Operating System Version 2.2(1.47)Device Manager Version 7.8(1)

> show version---------------------[ gpgsfr ]---------------------Model : ASA5525 (72) Version 6.2.0 (Build 362)Rules update version : 2016-03-28-001-vrtVDB version : 271----------------------------------------------------

Can you confirm that you can

Hi marvin,

i notice that there is no

If there's no ping (icmp),

Thank you Mr. Marvin

You're welcome.

man your helping me a lot

You're welcome.

Re: You're welcome.

Re: Can you confirm that you can

Re: Can you confirm that you can

Re: Firepower Management center

Cisco Adaptive Security Appliance Software Version 9.8(1)
Firepower Extensible Operating System Version 2.2(1.47)
Device Manager Version 7.8(1)

> show version
---------------------[ gpgsfr ]---------------------
Model : ASA5525 (72) Version 6.2.0 (Build 362)

Rules update version : 2016-03-28-001-vrt
VDB version : 271
----------------------------------------------------