请问，“route DMZ” 内的DMZ 是指路由接口所属区域，还是自定义昵称字段。

这是基本的ASA/FTD CLI路由配置，因此DMZ会转发到子网可通过的接口。

我已经部署了OSPF 让该设备学习了到达FMC的路由，但为什么这台设备还是显示禁用状态，无法被管理。

您能否从FMC ping通FTD?您能否从FMC CLI通过tcp/8305端口telnet至FTD。  另请记住，如果此管理流量通过另一个防火墙，则需要允许从FTD到端口tcp/8305上FMC的流量。

我的两台ftd 在运行ha ftd-A 无法ping通 fmc ftd-b 也无法ping通fmc A-B之间可互通。 但是B可以被FMC管理。。。 一直找不到问题，FTD-A 和B 是相同配置。

您能否提供网络图？显示IP以及这些设备如何连接到网络以及它们之间的关系。

从FTD执行ping操作时，您将从数据接口执行ping操作，因此，如果访问规则中不允许此流量，则不允许该流量。因此更好的测试是从FMC ping。

那么，FTD和FMC之间是什么？  路由器、另一个防火墙，还是它们位于同一子网中（这作为路由问题开始时值得怀疑）？

由于FTD B可以管理，因此问题很可能不是路由。  您给FTD A的管理IP是什么？  您说A和B具有相同的配置，这是否意味着您为FTD A提供的IP与您在B上配置的IP相同？  如果是，这就是你的问题。  FTD A需要单独的IP。

如果FMC与FTD A和B之间的路径中有任何防火墙或访问列表，则您还需要检查是否允许流向FTD A的流量。

我在fmc上使用ping 提示：ping: icmp open socket: Operation not permitted

我的网络拓扑







FTD_A

FTD-A

> show network
===============[ System Information ]===============
Hostname : ASCHZXS-12F-JF-A02-FW-2110-01
DNS Servers : 172.169.18.8
Management port : 8305
IPv4 Default route
Gateway : 172.17.3.254

==================[ management0 ]===================
State : Enabled
Channels : Management & Events
Mode : Non-Autonegotiation
MDI/MDIX : Auto/MDIX
MTU : 1500
MAC Address : CC:7F:76:B1:73:80
----------------------[ IPv4 ]----------------------
Configuration : Manual
Address : 172.17.2.10
Netmask : 255.255.254.0
Broadcast : 172.17.3.255
----------------------[ IPv6 ]----------------------
Configuration : Disabled

===============[ Proxy Information ]================
State : Disabled
Authentication : Disabled

> �

> show route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 172.17.10.65 to network 0.0.0.0

O*E1 0.0.0.0 0.0.0.0 [110/1010] via 172.17.10.65, 2w6d, TO_RT01_OUTSIDE-1
C 1.1.1.0 255.255.255.252 is directly connected, failover_link
L 1.1.1.1 255.255.255.255 is directly connected, failover_link
C 2.2.2.0 255.255.255.252 is directly connected, state_link
L 2.2.2.1 255.255.255.255 is directly connected, state_link
O E2 172.16.1.0 255.255.255.0
[110/1] via 172.17.10.83, 6d16h, TO_HXSW01_INSIDE-1
O E2 172.16.2.0 255.255.255.0
[110/1] via 172.17.10.83, 6d16h, TO_HXSW01_INSIDE-1
O E2 172.16.3.0 255.255.255.0
[110/1] via 172.17.10.83, 6d16h, TO_HXSW01_INSIDE-1
O E2 172.16.20.0 255.255.255.0
[110/1] via 172.17.10.83, 5d17h, TO_HXSW01_INSIDE-1
O E2 172.16.255.0 255.255.255.0
[110/1] via 172.17.10.83, 5d17h, TO_HXSW01_INSIDE-1
O IA 172.17.0.0 255.255.248.0
[110/20] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
C 172.17.7.0 255.255.255.248 is directly connected, SHAOXING_DMZ_LM_IDS
L 172.17.7.2 255.255.255.255 is directly connected, SHAOXING_DMZ_LM_IDS
O E1 172.17.8.0 255.255.255.0
[110/21] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O IA 172.17.10.0 255.255.255.224
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
C 172.17.10.64 255.255.255.248 is directly connected, TO_RT01_OUTSIDE-1
L 172.17.10.67 255.255.255.255 is directly connected, TO_RT01_OUTSIDE-1
C 172.17.10.72 255.255.255.248 is directly connected, TO_RT02_OUTSIDE-2
L 172.17.10.75 255.255.255.255 is directly connected, TO_RT02_OUTSIDE-2
C 172.17.10.80 255.255.255.248
is directly connected, TO_HXSW01_INSIDE-1
L 172.17.10.82 255.255.255.255
is directly connected, TO_HXSW01_INSIDE-1
C 172.17.10.88 255.255.255.248
is directly connected, TO_HXSW02_INSIDE-2
L 172.17.10.90 255.255.255.255
is directly connected, TO_HXSW02_INSIDE-2
O 172.17.10.96 255.255.255.252
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O IA 172.17.11.0 255.255.255.0
[110/12] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O IA 172.17.20.0 255.255.255.0
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O 172.17.255.1 255.255.255.255
[110/11] via 172.17.10.65, 2w6d, TO_RT01_OUTSIDE-1
O 172.17.255.2 255.255.255.255
[110/16] via 172.17.10.73, 2w6d, TO_RT02_OUTSIDE-2
O 172.17.255.5 255.255.255.255
[110/10] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O 172.17.255.6 255.255.255.255
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O E2 172.31.0.0 255.255.0.0
[110/1] via 172.17.10.83, 6d16h, TO_HXSW01_INSIDE-1
O IA 172.169.10.0 255.255.255.0
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O IA 172.169.18.0 255.255.255.0
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O IA 172.169.253.0 255.255.255.0
[110/12] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O IA 192.168.168.0 255.255.255.0
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O E2 198.18.1.4 255.255.255.252
[110/1] via 172.17.10.83, 6d16h, TO_HXSW01_INSIDE-1
O 198.18.1.8 255.255.255.252
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1

> �



> show interface ip brief
Interface IP-Address OK? Method Status Protocol
Internal-Data0/1 unassigned YES unset up up
Ethernet1/1 172.17.10.67 YES CONFIG up up
Ethernet1/2 172.17.10.75 YES CONFIG up up
Ethernet1/3 172.17.10.82 YES CONFIG up up
Ethernet1/4 172.17.10.90 YES CONFIG up up
Ethernet1/5 172.17.7.2 YES CONFIG up up
Ethernet1/6 172.17.7.10 YES CONFIG down down
Ethernet1/7 172.17.7.18 YES CONFIG down down
Ethernet1/8 unassigned YES unset admin down down
Ethernet1/9 unassigned YES unset admin down down
Ethernet1/10 unassigned YES unset admin down down
Ethernet1/11 1.1.1.1 YES unset up up
Ethernet1/12 2.2.2.1 YES unset up up
Ethernet1/13 unassigned YES unset admin down down
Ethernet1/14 unassigned YES unset admin down down
Ethernet1/15 unassigned YES unset admin down down
Ethernet1/16 unassigned YES unset admin down down
Internal-Control1/1 unassigned YES unset up up
Internal-Data1/1 169.254.1.1 YES unset up up
Internal-Data1/2 unassigned YES unset up up
Management1/1 unassigned YES unset up up
>�



> show failover state

State Last Failure Reason Date/Time
This host - Primary
Standby Ready None
Other host - Secondary
Active None

====Configuration State===
Sync Done - STANDBY
====Communication State===
Mac set

> �


FTD-B


> show network
===============[ System Information ]===============
Hostname : firepower
DNS Servers : 172.169.18.8
Management port : 8305
IPv4 Default route
Gateway : 172.17.3.254

==================[ management0 ]===================
State : Enabled
Channels : Management & Events
Mode : Non-Autonegotiation
MDI/MDIX : Auto/MDIX
MTU : 1500
MAC Address : AC:3A:67:52:57:80
----------------------[ IPv4 ]----------------------
Configuration : Manual
Address : 172.17.2.11
Netmask : 255.255.254.0
Broadcast : 172.17.3.255
----------------------[ IPv6 ]----------------------
Configuration : Disabled

===============[ Proxy Information ]================
State : Disabled
Authentication : Disabled


> show interface ip brief
Interface IP-Address OK? Method Status Protocol
Internal-Data0/1 unassigned YES unset up up
Ethernet1/1 172.17.10.66 YES CONFIG up up
Ethernet1/2 172.17.10.74 YES CONFIG up up
Ethernet1/3 172.17.10.81 YES CONFIG up up
Ethernet1/4 172.17.10.89 YES CONFIG up up
Ethernet1/5 172.17.7.1 YES CONFIG up up
Ethernet1/6 172.17.7.9 YES CONFIG down down
Ethernet1/7 172.17.7.17 YES CONFIG down down
Ethernet1/8 unassigned YES unset admin down down
Ethernet1/9 unassigned YES unset admin down down
Ethernet1/10 unassigned YES unset admin down down
Ethernet1/11 1.1.1.2 YES unset up up
Ethernet1/12 2.2.2.2 YES unset up up
Ethernet1/13 unassigned YES unset admin down down
Ethernet1/14 unassigned YES unset admin down down
Ethernet1/15 unassigned YES unset admin down down
Ethernet1/16 unassigned YES unset admin down down
Internal-Control1/1 unassigned YES unset up up
Internal-Data1/1 169.254.1.1 YES unset up up
Internal-Data1/2 unassigned YES unset up up
Management1/1 unassigned YES unset up up


> show route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 172.17.10.65 to network 0.0.0.0

O*E1 0.0.0.0 0.0.0.0 [110/1010] via 172.17.10.65, 2w6d, TO_RT01_OUTSIDE-1
C 1.1.1.0 255.255.255.252 is directly connected, failover_link
L 1.1.1.2 255.255.255.255 is directly connected, failover_link
C 2.2.2.0 255.255.255.252 is directly connected, state_link
L 2.2.2.2 255.255.255.255 is directly connected, state_link
O E2 172.16.1.0 255.255.255.0
[110/1] via 172.17.10.83, 6d16h, TO_HXSW01_INSIDE-1
O E2 172.16.2.0 255.255.255.0
[110/1] via 172.17.10.83, 6d16h, TO_HXSW01_INSIDE-1
O E2 172.16.3.0 255.255.255.0
[110/1] via 172.17.10.83, 6d16h, TO_HXSW01_INSIDE-1
O E2 172.16.20.0 255.255.255.0
[110/1] via 172.17.10.83, 5d17h, TO_HXSW01_INSIDE-1
O E2 172.16.255.0 255.255.255.0
[110/1] via 172.17.10.83, 5d17h, TO_HXSW01_INSIDE-1
O IA 172.17.0.0 255.255.248.0
[110/20] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
C 172.17.7.0 255.255.255.248 is directly connected, SHAOXING_DMZ_LM_IDS
L 172.17.7.1 255.255.255.255 is directly connected, SHAOXING_DMZ_LM_IDS
O E1 172.17.8.0 255.255.255.0
[110/21] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O IA 172.17.10.0 255.255.255.224
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
C 172.17.10.64 255.255.255.248 is directly connected, TO_RT01_OUTSIDE-1
L 172.17.10.66 255.255.255.255 is directly connected, TO_RT01_OUTSIDE-1
C 172.17.10.72 255.255.255.248 is directly connected, TO_RT02_OUTSIDE-2
L 172.17.10.74 255.255.255.255 is directly connected, TO_RT02_OUTSIDE-2
C 172.17.10.80 255.255.255.248
is directly connected, TO_HXSW01_INSIDE-1
L 172.17.10.81 255.255.255.255
is directly connected, TO_HXSW01_INSIDE-1
C 172.17.10.88 255.255.255.248
is directly connected, TO_HXSW02_INSIDE-2
L 172.17.10.89 255.255.255.255
is directly connected, TO_HXSW02_INSIDE-2
O 172.17.10.96 255.255.255.252
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O IA 172.17.11.0 255.255.255.0
[110/12] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O IA 172.17.20.0 255.255.255.0
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O 172.17.255.1 255.255.255.255
[110/11] via 172.17.10.65, 2w6d, TO_RT01_OUTSIDE-1
O 172.17.255.2 255.255.255.255
[110/16] via 172.17.10.73, 2w6d, TO_RT02_OUTSIDE-2
O 172.17.255.5 255.255.255.255
[110/10] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O 172.17.255.6 255.255.255.255
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O E2 172.31.0.0 255.255.0.0
[110/1] via 172.17.10.83, 6d16h, TO_HXSW01_INSIDE-1
O IA 172.169.10.0 255.255.255.0
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O IA 172.169.18.0 255.255.255.0
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O IA 172.169.253.0 255.255.255.0
[110/12] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O IA 192.168.168.0 255.255.255.0
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O E2 198.18.1.4 255.255.255.252
[110/1] via 172.17.10.83, 6d16h, TO_HXSW01_INSIDE-1
O 198.18.1.8 255.255.255.252
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1

> show failover
descriptor exec history interface state statistics |

> show failover state

State Last Failure Reason Date/Time
This host - Secondary
Active None
Other host - Primary
Standby Ready Comm Failure 09:58:15 UTC Jun 1 2022

====Configuration State===
Sync Done
====Communication State===
Mac set

> �

要从FMC ping，您需要成为根用户，因此您需要登录cli，进入专家模式，然后sudo su -

您能否在两个FTD上发出命令show managers?

FTD-A 172.17.2.10 (无法被管理 主 非活动）
> show managers
Type : Manager
Host : 172.16.1.31
Registration : Completed

>
�FTD-A 172.17.2.11 (被管理 辅 活动）
> show managers
Type : Manager
Host : 172.16.1.31
Registration : Completed

>
�

FMC-SSH

Last login: Fri Jun 24 04:46:39 2022 from 172.17.3.68

Copyright 2004-2020, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.

Cisco Fire Linux OS v6.4.0 (build 2)
Cisco Firepower Management Center for VMWare v6.4.0.7 (build 53)

>

configure Change to Configuration mode
exit Exit this CLI session
expert Invoke a shell
show Change to Show Mode
system Change to System Mode

> expert
admin@ASCHZXS-12F-JF-A02-CISCO-FMC-01:~$ ping 172.17.2.10
ping: icmp open socket: Operation not permitted
admin@ASCHZXS-12F-JF-A02-CISCO-FMC-01:~$

�

要从FMC发出ping，您需要具有根权限，(sudo su -)

但是，根据show managers的输出，FMC已成功注册到FTD设备。

但是FMC上显示该FTD是已禁用状态，无法被管理。

 

我想尝试在FTD-CLI上做一条any any的配置，看是否是由于策略原因导致，FTD-A无法连接到FMC，在CLI下应该怎么去写这样一条策略并保存使其生效。

由于我是后接管的该设备，该FTD在2021年的11月断开连接。

或者我该如何寻求远程技术支持。