FPR 1010 Migration to cdfmc

JustinGayheart · ‎05-18-2025

hi everyone, i am trying to migrate my Cisco Firepower 1010 Threat Defense running 7.4.2.1-30 to cdfmc.

i go through the migration wizard, and get to the final step where the FTD regiters with cdfmc and it fails... I have had a case open with TAC for about 3 months trying to resolve this and they have been less than helpful unfortunately.

They have determined that the FTD is failing to connect on port 8305 in the log below, but havent help me figure out why or how I can test it.

If anyone has any advice or help I would greatly appreciate it.

Apr 8 01:47:29 1155-FTD SF-IMS[52389]: [52415] sftunneld:sf_peers [INFO] Peer CDFMC-Name-removed-for-privacy.app.us.cdo.cisco.com needs a single connection Apr 8 01:47:29 1155-FTD SF-IMS[52389]: [52415] sftunneld:sf_connections [INFO] Start connection to : CDFMC-Name-removed-for-privacy.app.us.cdo.cisco.com (registration state:1, wait 80 seconds is up) Apr 8 01:47:29 1155-FTD SF-IMS[52389]: [26617] sftunneld:sf_peers [INFO] Peer CDFMC-Name-removed-for-privacy.app.us.cdo.cisco.com needs a single connection Apr 8 01:47:29 1155-FTD SF-IMS[52389]: [26617] sftunneld:sf_ssl [INFO] Connect to CDFMC-Name-removed-for-privacy.app.us.cdo.cisco.com on port 8305 - management0 Apr 8 01:47:29 1155-FTD SF-IMS[52389]: [26617] sftunneld:sf_ssl [INFO] Initiate connection using resolved_ip_list having [2] entries on list [1] (via management0) Apr 8 01:47:29 1155-FTD SF-IMS[52389]: [26617] sftunneld:sf_ssl [INFO] Initiate IPv6 type connection Apr 8 01:47:29 1155-FTD SF-IMS[52389]: [26617] sftunneld:sf_ssl [INFO] Initiate IPv4 type connection Apr 8 01:47:29 1155-FTD SF-IMS[52389]: [26617] sftunneld:sf_ssl [INFO] Initiate IPv4 connection from resolved_ip_list to 54.148.59.114 (via management0) Apr 8 01:47:29 1155-FTD SF-IMS[52389]: [26617] sftunneld:sf_ssl [INFO] Initiating IPv4 connection to 54.148.59.114:8305/tcp Apr 8 01:47:29 1155-FTD SF-IMS[52389]: [26617] sftunneld:sf_ssl [INFO] Wait to connect to 8305 (IPv4): 54.148.59.114 Apr 8 01:47:29 1155-FTD SF-IMS[52389]: [26617] sftunneld:sf_ssl [INFO] Connect to 54.148.59.114 failed on port 8305 socket 11 (Connection refused) Apr 8 01:47:29 1155-FTD SF-IMS[52389]: [26617] sftunneld:sf_ssl [INFO] No IPv4 connection to IP 54.148.59.114 Apr 8 01:47:29 1155-FTD SF-IMS[52389]: [26617] sftunneld:sf_ssl [INFO] Initiate IPv6 type connection Apr 8 01:47:29 1155-FTD SF-IMS[52389]: [26617] sftunneld:sf_ssl [INFO] Initiate IPv6 connection from resolved_ip_list to 2600:1f14:26b3:5001:df39:b8b8:c0db:4d99 (via management0) Apr 8 01:47:29 1155-FTD SF-IMS[52389]: [26617] sftunneld:sf_ssl [INFO] Initiating IPv6 connection to 2600:1f14:26b3:5001:df39:b8b8:c0db:4d99:8305/tcp

Apr 8 01:47:29 1155-FTD SF-IMS[52389]: [26617] sftunneld:sf_ssl [ERROR] Unable to connect to port 8305 (IPv6): Network is unreachable Apr 8 01:47:29 1155-FTD SF-IMS[52389]: [26617] sftunneld:sf_ssl [INFO] No IPv6 connection to IP 2600:1f14:26b3:5001:df39:b8b8:c0db:4d99

Apr 8 01:47:29 1155-FTD SF-IMS[52389]: [26617] sftunneld:sf_ssl [INFO] Initiate IPv4 type connection Apr 8 01:47:29 1155-FTD SF-IMS[52389]: [26617] sftunneld:sf_ssl [INFO] Unable to connect to all the provided IP address with the given management interface Apr 8 01:47:29 1155-FTD SF-IMS[52389]: [26617] sftunneld:sf_ssl [INFO] Connect to CDFMC-Name-removed-for-privacy.app.us.cdo.cisco.com on port 8305 - tap_nlp Apr 8 01:47:29 1155-FTD SF-IMS[52389]: [26617] sftunneld:sf_ssl [INFO] Initiate connection using resolved_ip_list having [2] entries on list [1] (via tap_nlp) Apr 8 01:47:29 1155-FTD SF-IMS[52389]: [26617] sftunneld:sf_ssl [INFO] Initiate IPv6 type connection Apr 8 01:47:29 1155-FTD SF-IMS[52389]: [26617] sftunneld:sf_ssl [INFO] Initiate IPv4 type connection Apr 8 01:47:29 1155-FTD SF-IMS[52389]: [26617] sftunneld:sf_ssl [INFO] Initiate IPv4 connection from resolved_ip_list to 54.148.59.114 (via tap_nlp) Apr 8 01:47:29 1155-FTD SF-IMS[52389]: [26617] sftunneld:sf_ssl [INFO] Initiating IPv4 connection to 54.148.59.114:8305/tcp Apr 8 01:47:29 1155-FTD SF-IMS[52389]: [26617] sftunneld:sf_ssl [INFO] Wait to connect to 8305 (IPv4): 54.148.59.114 Apr 8 01:47:29 1155-FTD SF-IMS[52389]: [26617] sftunneld:sf_ssl [INFO] Connect to 54.148.59.114 failed on port 8305 socket 11 (Connection refused

wajidhassan · ‎07-10-2025

You're dealing with a port connectivity issue during the Cisco FTD (Firepower Threat Defense) to CDFMC (Cloud-Delivered FMC) registration, specifically with port 8305/TCP failing to connect. The log is quite telling, and here's a breakdown and recommended steps to troubleshoot and resolve it.

What the Logs Tell Us
FTD is trying to connect to CDFMC over both IPv4 and IPv6.

IPv6 fails due to Network is unreachable.

IPv4 connection to 54.148.59.114 on port 8305 is refused:
Connect to 54.148.59.114 failed on port 8305 socket 11 (Connection refused).

This means:

DNS resolution is working.

The FTD can reach the IP, but the TCP handshake fails.

So it's not a DNS or basic routing issue, but a firewall, NAT, or access-list issue either on the path or at the target.

Checklist: What You Should Test or Review
1. Verify if port 8305 is allowed outbound
From the FTD management interface to the internet (specifically to 54.148.59.114), ensure there's no ACL, security policy, or upstream firewall blocking port 8305/TCP.

Run this from the FTD CLI:

bash
Copy
Edit
> system support diagnostic-cli
# telnet 54.148.59.114 8305
Or, if telnet is not available:

bash
Copy
Edit
# nc -zv 54.148.59.114 8305
If the port is open, you should see a successful connection. If it’s refused or times out, there's likely a block upstream (ISP, enterprise firewall, or NAT device).

2. Check if NAT is interfering
Since you're connecting to CDFMC (Cisco’s cloud), ensure there's no NAT device modifying or blocking the traffic. CDFMC expects specific traffic on specific ports from FTD.

Cisco recommends no deep inspection or NAT tampering for port 8305 traffic.

Ask:

Is the FTD behind a strict egress firewall?

Is there Outbound NAT or PAT?

Are you inspecting or proxying this traffic?

3. Check your egress firewall rules
Ensure the following IPs and ports are accessible from the FTD's management interface:

Service Destination FQDN / IP Port
CDFMC comms *.cdo.cisco.com 443, 8305
Smart Licensing tools.cisco.com 443
Time sync ntp.ubuntu.com / NTP server 123/UDP

Make sure 8305/TCP is explicitly allowed in your outbound rules.

4. Are you behind a Proxy?
If your org uses a proxy for outbound traffic, CDFMC may bypass it for port 8305. Make sure this is allowed directly without interception.

Alternative Test From External Host (Sanity Check)
From any non-FTD device in the same network (e.g., a laptop or jumpbox on the same subnet):

bash
Copy
Edit
curl -v telnet://54.148.59.114:8305
If you get Connection refused, then it's not just the FTD—your environment is blocking it or the destination isn’t listening.

Cisco Documentation Reference
Cisco’s public doc on CDFMC communication ports:

Cisco CDFMC Communication Requirements

They specifically mention 8305 must be allowed outbound and not deep-inspected.

Final Notes
Since you’ve been with TAC for 3 months, here's what to explicitly ask them or test with them:

Can they confirm the CDFMC endpoint is listening on 8305? (Sometimes cloud-side issues exist too.)

Can they provide a list of all required IP subnets and ranges used by CDFMC (instead of relying just on FQDNs)?

Can you provide a packet capture from FTD’s management interface to confirm if the SYN gets out?

Summary Next Steps
From FTD CLI, test outbound to 54.148.59.114:8305.

Confirm no egress firewall or NAT is blocking/modifying the traffic.

Validate DNS resolution and proxy settings.

Use packet captures (on FTD and upstream firewall).

Escalate with TAC and ask them to validate server-side listener on 8305.