topic Yes I am able to ping the sfr in Network Security

ASA 5506-x cannot connect to firepower module

jcopling1 — Tue, 12 Mar 2019 06:59:26 GMT

Hello All,

I have recently configured a 5506 with a firepower module. When attempting to connect to the module via ASDM, I am getting the error "Cannot connect to ASA Firepower module. Check that it is correctly configured and on the network..." I have made sure that the management port is connected to the same L2 switch that the ASA is connected to, and the IP is set to the same subnet as the Data(LAN) port.

Can anyone possibly throw out some suggestions on what may be the cause of not being able to connect to the firepower module? I'm assuming it is something simple, however as this is my first deploy I would greatly appreciate any input.

I have included a screenshot of the error I am getting, as well as the 'show network' output from the sfr module.

Thanks.

Justin

Whenever I had these problems

Karsten Iwen — Thu, 03 Dec 2015 21:01:19 GMT

Whenever I had these problems, they were always related to one of these three causes:

Management-Port not connected
Management-Port shutdown
Management-Port in the wrong VLan

Perhaps better recheck these.

Thank you so much for the

jcopling1 — Thu, 03 Dec 2015 21:11:52 GMT

Thank you so much for the quick reply!

I failed to mention that the customer has 2 switches on site. Now that you mention that it sounds entirely likely that they do not have the management port plugged in to the same switch as the inside interface. If they do not, would that also cause the same issue?

Thanks,

Justin

If both switches share the

Karsten Iwen — Thu, 03 Dec 2015 21:23:40 GMT

If both switches share the same VLANs and the connection between the switches also can transport the management-VLAN, then it should be fine. Can you ping the FP-Management-IP?

Yes both switches share the

jcopling1 — Fri, 04 Dec 2015 01:02:18 GMT

Yes both switches share the same vlan and the management port is connected to the same switch as the inside port.

The FP-management ip is pingable from the switch yes.

Can you ssh to the FP

Marvin Rhoads — Fri, 04 Dec 2015 02:47:06 GMT

Can you ssh to the FP-management address from the switch?

ssh -l admin 192.168.16.2

Unfortunately the switch is a

jcopling1 — Fri, 04 Dec 2015 02:53:29 GMT

Unfortunately the switch is a netgear "smart" switch and the only access I have to it is via the GUI. I am able to run the ping command from the switch however and I am successful.

I am able to connect to the SFR module and ping all of the IP's as well. I can provide any outputs that would be beneficial, I do not know much about this configuration so any help is appreciated.

Can you ping the sfr module

Marvin Rhoads — Fri, 04 Dec 2015 02:58:42 GMT

Can you ping the sfr module from the ASA?

In this setup the ASA itself should have no interface management 0/0 IP address (and no nameif) and that management interface should be exclusively used by the sfr module.

Yes I am able to ping the sfr

jcopling1 — Fri, 04 Dec 2015 03:08:05 GMT

Yes I am able to ping the sfr module from the ASA itself. I have included the config for the management interface as well as the ping result.

sh run int management 1/1
!
interface Management1/1
management-only
nameif Management
security-level 90
no ip address
DorseyASA# ping 192.168.16.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.16.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

The 'inside' address is 192.168.16.254, which is also the DG of the module. The output of 'show network' from the SFR module is below:

> show network
===============[ System Information ]===============
Hostname : DoresyASA
Domains : example.net
DNS Servers : 75.75.75.75
76.76.76.76
Management port : 443
IPv4 Default route
Gateway : 192.168.16.254

======================[ eth0 ]======================
State : Enabled
Channels : Management & Events
Mode :
MDI/MDIX : Auto/MDIX
MTU : 1500
MAC Address : 5C:83:8F:9B:FD:0A
----------------------[ IPv4 ]----------------------
Configuration : Manual
Address : 192.168.16.1
Netmask : 255.255.255.0
Broadcast : 192.168.16.255
----------------------[ IPv6 ]----------------------
Configuration : Disabled

===============[ Proxy Information ]================
State : Disabled
Authentication : Disabled

Are you indicating that in this scenario I should also remove the 'nameif Management' ?

You should have no nameif if

Marvin Rhoads — Fri, 04 Dec 2015 03:21:51 GMT

You should have no nameif if you're not using m1/1 for ASA management. I'm not sure that would cause the issue you're seeing though.

Where is your ASDM workstation coming from?

My ASDM session is connecting

jcopling1 — Fri, 04 Dec 2015 03:30:14 GMT

My ASDM session is connecting to the public facing ip, or the 'outside' interface, either one.

I have removed the nameif just for best practice as well.

Is it necessary to connect to the inside interface in order to get the firepower module connected? Could this be a problem if there is NAT on the external interface?

Ahh that makes sense.

Marvin Rhoads — Fri, 04 Dec 2015 04:52:11 GMT

Ahh that makes sense.

When using the embedded FirePOWER management in the ASA, ASDM will report the native IP address of the FirePOWER module. If you are coming from the outside, you will not likely be able to reach that address via your ASDM htttps session.

Either the 192.168.16.1 address is not reachable from outside via routing, is NATted with a global interface NAT, or is denied via the implict access-list denying traffic from lower security interfaces (or all three!).

Thanks Marvin! That was the

jcopling1 — Fri, 04 Dec 2015 14:16:40 GMT

Thanks Marvin! That was the issue, we are now good to go. Thanks again!