https://community.cisco.com/t5/network-security/fmc-communication-ports-amp-deployment-error/m-p/3404087#M925854 <P>Dear Yogdhanu,</P> <P>&nbsp;</P> <P>&nbsp;</P> <PRE>The other alert/warning means that you have included in your rules zones which match interfaces to different device other than the one on which you are deploying so that specific rule will not match because the interface does not exist on that device.</PRE> <P>&nbsp;</P> <P>so what I understand is the secondary SFR&nbsp;device which is&nbsp;shown in the screenshot have those interfaces and&nbsp;the primary sfr doesn't have, this is what the deployment error is mentioning ???</P> <P>&nbsp;</P> <P>My firewall 5525-X is in failover mode and working perfect for failover, so this means that all the interfaces are sync and also the sensor are in device group, so whenever the deployment happens it applies to both, but still I get the error why???</P> <P>&nbsp;</P> <P>Is it&nbsp;some think that identity policy is not created properly ?? Please find the attached identity policy</P> <P>Thanks</P> <P>&nbsp;</P> <P>Thanks</P> Fri, 22 Jun 2018 18:04:29 GMT adamgibs7 2018-06-22T18:04:29Z https://community.cisco.com/t5/network-security/fmc-communication-ports-amp-deployment-error/m-p/3402969#M925852 <P>Dears,</P> <P>Please find the attached,</P> <P>In the communication ports list what is the host input client&nbsp;refers&nbsp;as a &nbsp;bidirectional traffic to FMC, actually what is host input client ??? and what does bidirectional means ??? what I understand by bidirectional is traffic initiated by host to the FMC on port 8307 and the return traffic should come back&nbsp;from FMC&nbsp; Please correct me if I m wrong ????</P> <P><FONT color="#ff0000"><STRONG>&nbsp;OR IT MEANS</STRONG></FONT></P> <P>Bidirectional means that both the host input client and FMC&nbsp; can initiate a traffic on destination port 8307.</P> <P>Also I would like to know the inbound is referred as destined traffic to FMC and outbound is referred as destined traffic to the remote host ( ldap, radius server etc etc ), Please correct me if I m wrong.</P> <P>&nbsp;</P> <P>Also&nbsp;please find the attached&nbsp;error when I deploy the configuration to the Firepower.</P> <P>&nbsp;</P> <P>Thanks</P> Fri, 21 Feb 2020 15:54:16 GMT https://community.cisco.com/t5/network-security/fmc-communication-ports-amp-deployment-error/m-p/3402969#M925852 adamgibs7 2020-02-21T15:54:16Z https://community.cisco.com/t5/network-security/fmc-communication-ports-amp-deployment-error/m-p/3403004#M925853 <P>Hi</P> <P>&nbsp;</P> <P>The communication between FMC and its managed sensor is on TCP port 8305 and not on 8307.</P> <P>Its should be open bidirectional which means sensor/FTD can initiate connection on 8305 to FMC and vice versa.</P> <P>8307 is not needed for policy deployment. You can get more details from this link about host input client.</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/host_identity_sources.html?bookSearch=true#ID-2219-000004f9" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/host_identity_sources.html?bookSearch=true#ID-2219-000004f9</A></P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/firepower/60/api/host-input/HostInputAPIGuide/Configuring-HostInputClient.html" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/firepower/60/api/host-input/HostInputAPIGuide/Configuring-HostInputClient.html</A></P> <P>&nbsp;</P> <P>The other alert/warning means that you have included in your rules zones which match interfaces to different device other than the one on which you are deploying so that specific&nbsp; rule will not match because&nbsp; the interface does not exist on that device.</P> <P>You can still proceed with deployment though.</P> <P>&nbsp;</P> <P>Rate it helps,</P> <P>Yogesh</P> Thu, 21 Jun 2018 01:07:55 GMT https://community.cisco.com/t5/network-security/fmc-communication-ports-amp-deployment-error/m-p/3403004#M925853 yogdhanu 2018-06-21T01:07:55Z https://community.cisco.com/t5/network-security/fmc-communication-ports-amp-deployment-error/m-p/3404087#M925854 <P>Dear Yogdhanu,</P> <P>&nbsp;</P> <P>&nbsp;</P> <PRE>The other alert/warning means that you have included in your rules zones which match interfaces to different device other than the one on which you are deploying so that specific rule will not match because the interface does not exist on that device.</PRE> <P>&nbsp;</P> <P>so what I understand is the secondary SFR&nbsp;device which is&nbsp;shown in the screenshot have those interfaces and&nbsp;the primary sfr doesn't have, this is what the deployment error is mentioning ???</P> <P>&nbsp;</P> <P>My firewall 5525-X is in failover mode and working perfect for failover, so this means that all the interfaces are sync and also the sensor are in device group, so whenever the deployment happens it applies to both, but still I get the error why???</P> <P>&nbsp;</P> <P>Is it&nbsp;some think that identity policy is not created properly ?? Please find the attached identity policy</P> <P>Thanks</P> <P>&nbsp;</P> <P>Thanks</P> Fri, 22 Jun 2018 18:04:29 GMT https://community.cisco.com/t5/network-security/fmc-communication-ports-amp-deployment-error/m-p/3404087#M925854 adamgibs7 2018-06-22T18:04:29Z https://community.cisco.com/t5/network-security/fmc-communication-ports-amp-deployment-error/m-p/3404318#M925855 <P>Hi</P> <P>&nbsp;</P> <P>Its possible that 1 of the SFR does not have correct interface zone mapping. Please be aware that FMC treats both sfr as individual device. So the interface zone mapping has to be done manually on both.</P> <P>Once that's done, than you should not get error.</P> <P>Not sure about identity policy question.</P> <P>&nbsp;</P> <P>Thanks</P> <P>Yogesh</P> <P>&nbsp;</P> Sat, 23 Jun 2018 08:00:09 GMT https://community.cisco.com/t5/network-security/fmc-communication-ports-amp-deployment-error/m-p/3404318#M925855 yogdhanu 2018-06-23T08:00:09Z https://community.cisco.com/t5/network-security/fmc-communication-ports-amp-deployment-error/m-p/3404591#M925856 <P>thanks for the hints and suggestions</P> <P>&nbsp;</P> Sun, 24 Jun 2018 20:46:28 GMT https://community.cisco.com/t5/network-security/fmc-communication-ports-amp-deployment-error/m-p/3404591#M925856 adamgibs7 2018-06-24T20:46:28Z https://community.cisco.com/t5/network-security/fmc-communication-ports-amp-deployment-error/m-p/3712571#M925857 <P>Hi Just wanted to trigger this thread with a doubt.Using here an ASA w/ FP services</P> <P>We are unable to deploy policy on the sensor getting error message&nbsp; -&nbsp;</P> <P>Deployment failed due to configuration error. If problem persists after retrying contact Cisco TAC.</P> <P>I am getting this is due to devices being in disabled state under device management, if yes how to enable them.</P> <P>Also&nbsp;have an alarm under health for missing appliance&nbsp;heartbeats.</P> <P>Do provide your insights. Thanks.</P> Tue, 25 Sep 2018 03:47:12 GMT https://community.cisco.com/t5/network-security/fmc-communication-ports-amp-deployment-error/m-p/3712571#M925857 mssgrocsupport 2018-09-25T03:47:12Z