topic Thanks, I totally forgot in Network Security

FTD Registration Problem

ammann9113 — Tue, 12 Mar 2019 09:08:44 GMT

Hello everyone

I'm currently encountering a problem which really bugs me...

I have a 5506-X running with the FTD image (6.2) and everything (as far as I can tell) looks well. Except for one thing; the Smart License registration. I always get a error message, telling me I need to check my internet connectivity (for the mangement interface). I am able to access the internet through the ASA, I can ping Google from the ASA CLI, updates are being downloaded and installed every other day...

I've tried "Use the Data Interfaces as the Gateway" and a unique gateway for the management interface, all with the same result..

I need help.. 🙂 I don't even know where to find logs...

Thanks!

Here's the full error msg:

The device was unable to connect to the Smart Licensing server. This might indicate a gateway problem for the management interface. Please select Evaluation Mode for now. Then, after completing setup, go to Device > System Settings > Management Interface and verify the management address and gateway configuration. There must be a path from the management IP address to the Internet to complete Smart License registration. You can then go to Device > Smart License and try registering again.

Does the 5506-X MANAGEMENT

Marvin Rhoads — Wed, 29 Mar 2017 15:19:17 GMT

Does the 5506-X MANAGEMENT interface have internet access? Simply reaching the Internet from the ASA isn't enough as that will normally use the outside interface.

well the mgmt interface isnt

ammann9113 — Wed, 29 Mar 2017 17:35:00 GMT

well the mgmt interface isnt cabled if you mean that. as far as i understood this is not necessary?

i ve tried both options, routing the mgmt interface through the inside interface (i dont remember the actual wording on this one, its the option where i dont have to configure anything else) and i ve tried pointing it to the next hop directly, both with the same result - no connectivity.

when i entered the gateway for the mgmt interface manually, i pointed it to the "outside next hop", maybe i should try to point it to the inside interface of the asa itself?

Get your management interface

Oliver Kaiser — Wed, 29 Mar 2017 20:45:02 GMT

Get your management interface into the same VLAN as your inside interface. Assign an ip address to it and set the gateway for your management interface to your inside interface.

This should do the trick.

Just did that.. and no trick

ammann9113 — Thu, 30 Mar 2017 06:47:37 GMT

Just did that.. and no trick done.. 😞

Management interface is now on the same VLAN as the inside interface. LAN connectivity is present. I've tried with "use data interface as gateway" and entering the gateway (IP of inside interface) manually. Always the same result; not able to contact the Smart Licensing server...

If you can, please share the

Marvin Rhoads — Thu, 30 Mar 2017 07:16:06 GMT

If you can, please share the output of "show network" from the FTD cli shell.

Is the DNS server that you have setup on the management interface reachable?

DNS server is reachable and

ammann9113 — Thu, 30 Mar 2017 07:40:48 GMT

DNS server is reachable and seems to be working correctly.. Here you go:

> show network
===============[ System Information ]===============
Hostname : <cut>
DNS Servers : 195.186.4.162
195.186.1.162
Management port : 8305
IPv4 Default route
Gateway : 192.168.100.1

======================[ br1 ]=======================
State : Enabled
Channels : Management & Events
Mode : Non-Autonegotiation
MDI/MDIX : Auto/MDIX
MTU : 1500
MAC Address : 00:6B:F1:78:B7:03
----------------------[ IPv4 ]----------------------
Configuration : Manual
Address : 192.168.100.254
Netmask : 255.255.255.0
Broadcast : 192.168.100.255
----------------------[ IPv6 ]----------------------
Configuration : Disabled

===============[ Proxy Information ]================
State : Disabled
Authentication : Disabled

That all seems OK.

Marvin Rhoads — Thu, 30 Mar 2017 08:01:40 GMT

That all seems OK.

Have you included the 192.168.1.0/24 subnet in your NAT rules?

Did you mean 192.168.100.0/24

ammann9113 — Thu, 30 Mar 2017 08:14:41 GMT

Did you mean 192.168.100.0/24?

I've noticed, that I only had the inside interface in my NAT rule. I changed that to "any" interface (with the 192.168.100.0/24 network), but nothing changed....

Yes - sorry I did mean 192

Marvin Rhoads — Thu, 30 Mar 2017 08:24:58 GMT

Yes - sorry I did mean 192.168.100.0/24.

It seems everything is in order.

Is it possible to open a TAC case or is this a lab / NFR device without support?

Yes it is a lab device... is

ammann9113 — Thu, 30 Mar 2017 08:41:00 GMT

Yes it is a lab device... is there any more detailed log I can look at? Since the "expert"-mode on CLI looks very Linux-ish, so I thought there has to be some log file hidden somewhere?

Well, since it is just a lab device and the config is done in like 15 minutes, I guess I'll save some time to factory reset the whole thing the next few days...

Given that it's 6.2, you

Marvin Rhoads — Thu, 30 Mar 2017 08:44:18 GMT

Given that it's 6.2, you should be able to use packet-tracer on it.

The syntax is pretty much the same as on the classic ASA code:

http://www.cisco.com/c/en/us/td/docs/security/firepower/command_ref/b_Command_Reference_for_Firepower_Threat_Defense/dr.html#wp1842444451

Thanks, I totally forgot

ammann9113 — Thu, 30 Mar 2017 09:00:38 GMT

Thanks, I totally forgot about packet-tracer being back.. 🙂

And of course, packet-tracer is telling me, there is no route:

> packet-tracer input diagnostic udp 192.168.100.254 12312 8.8.8.8 53

Result:
input-interface: diagnostic
input-status: up
input-line-status: up
Action: drop
Drop-reason: (no-route) No route to host

A trace from the inside interface finds it's way to the internet...

I've added a screenshot of the mgmt interface config but of course, there is not much to it... I've also tried it with a manual gateway (IP of the inside interface) but this gives me the same packet-tracer output

I would expect the input

Marvin Rhoads — Thu, 30 Mar 2017 09:05:49 GMT

I would expect the input interface to be "inside" unless you have named it something different.

Well, the mgmt interface's

ammann9113 — Thu, 30 Mar 2017 09:17:57 GMT

Well, the mgmt interface's logical name is diagnostic? I can run packet-tracer from the inside interface (same if I just enter "inside" rather than the sub interface):

> packet-tracer input inside_vlan_900 udp 192.168.100.254 12312 8.8.8.8 53

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 83.173.235.245 using egress ifc outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced trust ip ifc inside_vlan_900 any ifc outside any rule-id 268435457 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 268435457: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435457: L5 RULE: Inside_Outside_Rule
Additional Information:

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (any,outside) source dynamic obj_net_192.168.100.0 interface
Additional Information:
Dynamic translate 192.168.100.254/12312 to 83.173.235.246/12312

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
service-policy global_policy global
Additional Information:

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (any,outside) source dynamic obj_net_192.168.100.0 interface
Additional Information:

Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 509, packet dispatched to next module

Result:
input-interface: inside_vlan_900
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (inspect-dns-invalid-pak) DNS Inspect invalid packet

>
>
> packet-tracer input management udp 192.168.100.254 12312 8.8.8.8 53

packet-tracer input management udp 192.168.100.254 12312 8.8.8.8 53
^
ERROR: % Invalid input detected at '^' marker.
> packet-tracer input diagnostic udp 192.168.100.254 12312 8.8.8.8 53

Result:
input-interface: diagnostic
input-status: up
input-line-status: up
Action: drop
Drop-reason: (no-route) No route to host

>
> packet-tracer input diagnostic udp 192.168.100.254 12312 8.8.8.8 53

Result:
input-interface: diagnostic
input-status: up
input-line-status: up
Action: drop
Drop-reason: (no-route) No route to host

> packet-tracer input inside_vlan_900 udp 192.168.100.254 12312 8.8.8.8 53

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 83.173.235.245 using egress ifc outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced trust ip ifc inside_vlan_900 any ifc outside any rule-id 268435457 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 268435457: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435457: L5 RULE: Inside_Outside_Rule
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (any,outside) source dynamic obj_net_192.168.100.0 interface
Additional Information:
Dynamic translate 192.168.100.254/12312 to 83.173.235.246/12312

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
service-policy global_policy global
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (any,outside) source dynamic obj_net_192.168.100.0 interface
Additional Information:

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 669, packet dispatched to next module

The diagnostic interface is

Marvin Rhoads — Thu, 30 Mar 2017 09:29:15 GMT

The diagnostic interface is the original source but the packet should arrive on the data plane via your "inside_vlan_900 interface" and flow throught the FTD (or not) based on the policies configured.

It is really odd (possibly a bug?) that we see "Drop-reason: (inspect-dns-invalid-pak) DNS Inspect invalid packet" even though the details showed the LINA (ASA code bits) inspection rules passed the packet.I wonder what would happen if you went in and disabled dns inspection - something like

policy-map global_policy
   class inspection_default
      no inspect dns

This should be possible with a flex-config.

I did a "configure inspection

ammann9113 — Thu, 30 Mar 2017 09:45:24 GMT

I did a "configure inspection dns disable", now the packet-tracer command from above runs without an error.

The license registration still fails though...

I have a 5506-X that I've

Marvin Rhoads — Thu, 30 Mar 2017 10:01:39 GMT

I have a 5506-X that I've been meaning to update to Smart license vs the eval mode it had been in.

I will lab it up as soon as I get some time and let you know my results.

Thanks a lot, Marvin! Have a

ammann9113 — Thu, 30 Mar 2017 10:51:07 GMT

Thanks a lot, Marvin! Have a good day!

For anybody, that might be

ammann9113 — Mon, 15 May 2017 14:57:28 GMT

For anybody, that might be interested...

I finally found the time to re-image my ASA. And with that, the problem was gone. Same version, same settings but I finally was able to register my device.