05-30-2017 02:11 AM - edited 06-04-2019 02:30 AM
I am connected via VPN to the FirePOWER Single Chassis sandbox.
Only the ESXi host and Windows 2012 server are accessible.
The FirePOWER chassis, ASA logical device and inside/outside Windows 2008 servers are all inaccessible. Even trying to access them from within the RDP session to the sandbox Server 2012 instance fails.
05-30-2017 03:26 AM
Marvin,
We are looking at the issue now and will get back to you today.
Regards,
Joe
05-31-2017 08:44 PM
Did you all ever find anything ? I haven't received any update.
06-01-2017 02:42 AM
Hi Marvin
I looked at this yesterday and resolved the issues. Some Clarification:
1) All the interfaces on the Firepower port channels will become active at the start of a session (data port channels for Standalone and Data/cluster port channels for Clustered).
2) To access the ESXi cluster with the inside and outside servers, you need to connect to these through the Windows 2010 R2 server (10.10.20.49). VMware Vsphere client is installed on this server and this can be used to access the ESXI interface. Once this is loaded, the inside and outside servers are displayed. These inside/outside servers cannot be directly accessed when connected to VPN. You need to connect to the ESXi host first.
Please reserve the environment now and check on the above. If you have more questions or concerns, please post them on this thread.
Regards,
Joe Kearns
06-04-2017 03:47 AM
Thanks Joe. I am now able to log into the FirePOWER chassis manager.
There is still an open issue with the ASA logical device. This is something I have raised with the Smart Licensing team in several venues - to no avail to date.
When we install an ASA logical device on a FirePOWER 4100 series, by default it only has only the DES encryption license. We need to change that to 3DES-AES in order to use the web UI to launch ASDM.
The error we see is:
10.10.20.41 uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
You can run wireshark on the internal Windows 2012 server and see that the SSL handshake fails due to the ASA not supporting secure ciphers (i.e. 3DES or stronger).
In order to get that license we need to register the FirePOWER chassis with the Cisco Smart License server and then assign a base and a 3DES-AES license to the ASA. I have a Smart license account and can generate a new token for the chassis but since the FirePOWER chassis does not have Internet connectivity, we cannot complete these steps.
I was able to confirm this is the case via ssh into the 4110 chassis and then connecting to the ASA logical device cli. See the output below, specifically the line near the end that says:
Encryption-3DES-AES : Disabled
[c:\~]$ ssh admin@10.10.20.30
Connecting to 10.10.20.30:22...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
Cisco FPR Series Security Appliance
Successful login attempts for user 'admin' : 11
Cisco Firepower Extensible Operating System (FX-OS) Software
TAC support: http://www.cisco.com/tac
Copyright (c) 2009-2017, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained in this software are
owned by other third parties and used and distributed under
license.
Certain components of this software are licensed under the "GNU General Public
License, version 3" provided with ABSOLUTELY NO WARRANTY under the terms of
"GNU General Public License, Version 3", available here:
http://www.gnu.org/licenses/gpl.html. See User Manual (''Licensing'') for
details.
Certain components of this software are licensed under the "GNU General Public
License, version 2" provided with ABSOLUTELY NO WARRANTY under the terms of
"GNU General Public License, version 2", available here:
http://www.gnu.org/licenses/old-licenses/gpl-2.0.html. See User Manual
(''Licensing'') for details.
Certain components of this software are licensed under the "GNU LESSER GENERAL
PUBLIC LICENSE, version 3" provided with ABSOLUTELY NO WARRANTY under the terms
of "GNU LESSER GENERAL PUBLIC LICENSE" Version 3", available here:
http://www.gnu.org/licenses/lgpl.html. See User Manual (''Licensing'') for
details.
Certain components of this software are licensed under the "GNU Lesser General
Public License, version 2.1" provided with ABSOLUTELY NO WARRANTY under the
terms of "GNU Lesser General Public License, version 2", available here:
http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html. See User Manual
(''Licensing'') for details.
Certain components of this software are licensed under the "GNU Library General
Public License, version 2" provided with ABSOLUTELY NO WARRANTY under the terms
of "GNU Library General Public License, version 2", available here:
http://www.gnu.org/licenses/old-licenses/lgpl-2.0.html. See User Manual
(''Licensing'') for details.
Firepower1-A#
Firepower1-A#
Firepower1-A#
Firepower1-A#
Firepower1-A# connect module
WORD Module-Id (Min size 0, Max size 510)
Firepower1-A# connect module 1 console
Telnet escape character is '~'.
Trying 127.5.1.1...
Connected to 127.5.1.1.
Escape character is '~'.
CISCO Serial Over LAN:
Close Network Connection to Exit
Firepower-module1>
Firepower-module1>connect asa
Connecting to asa console... hit Ctrl + A + D to return to bootCLI
subject to United States and local country laws
governing, import, export, transfer, and use.
Delivery of Cisco cryptographic products does not
imply third-party authority to import, export,
distribute, or use encryption. Importers, exporters,
distributors and users are responsible for compliance
with U.S. and local country laws. By using this
product you agree to comply with applicable laws and
regulations. If you are unable to comply with U.S.
and local laws, return the enclosed items immediately.
A summary of U.S. laws governing Cisco cryptographic
products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by
sending email to export@cisco.com.
******************************* Warning *******************************
Cisco Adaptive Security Appliance Software, version 96.2
Copyright (c) 1996-2016 by Cisco Systems, Inc.
For licenses and notices for open source software used in this product, please visit
http://www.cisco.com/go/asa-opensource
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Reading from flash...
!.
Cryptochecksum (unchanged): a5cb99bc a47f8375 8536c470 07e35bad
INFO: Power-On Self-Test in process.
.......................
INFO: Power-On Self-Test complete.
INFO: Starting HW-DRBG health test...
INFO: HW-DRBG health test passed.
INFO: Starting SW-DRBG health test...
INFO: SW-DRBG health test passed.
Type help or '?' for a list of available commands.
asa> en
Password:
asa# show ver
Cisco Adaptive Security Appliance Software Version 96.2(0)89
Device Manager Version 7.6(2)
Compiled on Mon 22-Aug-16 23:07 PDT by daudo
System image file is "disk0:/fxos-lfbff-k8.2.1.1.66.SPA"
Config file at boot was "startup-config"
asa up 16 mins 7 secs
SSP Slot Number: 1
Hardware: FPR4K-SM-12, 58038 MB RAM, CPU Xeon E5 series 2194 MHz, 1 CPU (24 cores)
Encryption hardware device : Cisco FP Crypto on-board accelerator (revision 0x1)
Boot microcode : CN35x-MC-Boot-0001
SSL/IKE microcode : CNN35x-MC-SSL-0014
IPSec microcode : CNN35x-MC-IPSEC-0005
Number of accelerators: 1
4099: Int: Internal-Data0/0 : address is 0015.a500.00bf, irq 11
4101: Int: Internal-Data0/1 : address is 0015.a500.00ff, irq 10
4102: Int: Internal-Data0/2 : address is 0000.0001.0003, irq 0
License mode: Smart Licensing
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 1024
Inside Hosts : Unlimited
Failover : Active/Active
Encryption-DES : Enabled
Encryption-3DES-AES : Disabled
Security Contexts : 10
Carrier : Disabled
AnyConnect Premium Peers : 10000
AnyConnect Essentials : Disabled
Other VPN Peers : 10000
Total VPN Peers : 10000
AnyConnect for Mobile : Enabled
AnyConnect for Cisco VPN Phone : Enabled
Advanced Endpoint Assessment : Enabled
Shared License : Disabled
Total TLS Proxy Sessions : 10000
Botnet Traffic Filter : Enabled
Cluster : Enabled
Serial Number: FLM2006EQE3
Configuration has not been modified since last system restart.
asa#
asa# show license all
Smart licensing enabled: Yes
Compliance status: Out of compliance
Overall licensed status: Invalid (0)
No entitlements in use
Serial Number: FLM2006EQE3
License mode: Smart Licensing
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 1024
Inside Hosts : Unlimited
Failover : Active/Active
Encryption-DES : Enabled
Encryption-3DES-AES : Disabled
Security Contexts : 10
Carrier : Disabled
AnyConnect Premium Peers : 10000
AnyConnect Essentials : Disabled
Other VPN Peers : 10000
Total VPN Peers : 10000
AnyConnect for Mobile : Enabled
AnyConnect for Cisco VPN Phone : Enabled
Advanced Endpoint Assessment : Enabled
Shared License : Disabled
Total TLS Proxy Sessions : 10000
Botnet Traffic Filter : Enabled
Cluster : Enabled
***************************************************************************
* WARNING *
* *
* THIS DEVICE IS NOT LICENSED WITH A VALID FEATURE TIER ENTITLEMENT *
* *
***************************************************************************
asa#
06-06-2017 03:00 AM
Marvin,
Thanks for bringing this to my attention.
I will get the license updated and let you know.
Joe
06-23-2017 06:50 AM
Hi Joe,
Have you been able to resolve this issue yet?
Thanks for your continued support.
07-04-2017 03:55 AM
Joe,
Can you provide any update on this issue?
Thanks,
Marvin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide