12-20-2018 02:54 PM - edited 02-21-2020 08:35 AM
Hello All,
When attempting to Register a new SFR Module to our FMC I receive the message: "Could not establish a connection with device."
I know for sure the reg key is correct and I am able to ping each device from the other without issue.
The FMC device is located in our HQ and the SFR Module is located across WAN in a DR location. Also, I had no problems registering 2 other SFR modules which were located in the same physical location as the FMC.
I tried the "telnet <fmc_ipaddress> 8305" command from the SFR Module to the FMC, and receive the following message:
admin@ASASFR3:~$ telnet 192.168.2.20 8305 Trying 192.168.2.20... telnet: connect to address 192.168.2.20: Connection refused
Log from /var/log/messages shows:
admin@ASASFR3:~$ tail -f /var/log/messages Dec 20 22:35:26 ASASFR3 SF-IMS[11384]: [11401] sftunneld:tunnsockets [INFO] Accepted IPv4 connection from 192.168.2.20:55608/tcp Dec 20 22:35:26 ASASFR3 SF-IMS[11384]: [17278] sftunneld:sf_ssl [INFO] Processing connection from 192.168.2.20:55608/tcp (socket 11) Dec 20 22:35:33 ASASFR3 SF-IMS[11384]: [11402] sftunneld:sf_peers [INFO] Peer 192.168.2.20 needs a single connection Dec 20 22:35:33 ASASFR3 SF-IMS[11384]: [11402] sftunneld:sf_connections [INFO] Start connection to : 192.168.2.20 (wait 44 seconds is up) Dec 20 22:35:33 ASASFR3 SF-IMS[11384]: [17281] sftunneld:sf_peers [INFO] Peer 192.168.2.20 needs a single connection Dec 20 22:35:33 ASASFR3 SF-IMS[11384]: [17281] sftunneld:sf_ssl [INFO] Connect to 192.168.2.20 on port 8305 - eth0 Dec 20 22:35:33 ASASFR3 SF-IMS[11384]: [17281] sftunneld:sf_ssl [INFO] Initiate IPv4 connection to 192.168.2.20 (via eth0) Dec 20 22:35:33 ASASFR3 SF-IMS[11384]: [17281] sftunneld:sf_ssl [INFO] Initiating IPv4 connection to 192.168.2.20:8305/tcp Dec 20 22:35:33 ASASFR3 SF-IMS[11384]: [17281] sftunneld:sf_ssl [INFO] Wait to connect to 8305 (IPv6): 192.168.2.20 Dec 20 22:35:33 ASASFR3 SF-IMS[11384]: [17281] sftunneld:sf_ssl [INFO] Connected to 192.168.2.20:8305 (IPv4) Dec 20 22:37:10 ASASFR3 SF-IMS[25616]: [25616] CloudAgent:CloudAgent [INFO] IPRep, time to check for updates Dec 20 22:37:10 ASASFR3 SF-IMS[25616]: [25616] CloudAgent:CloudAgent [INFO] ClamUpd, time to check for updates Dec 20 22:37:56 ASASFR3 SF-IMS[11384]: [17278] sftunneld:sf_ssl [INFO] Wait SSL_accept_nb: TIMEOUT TO COMPLETE Dec 20 22:37:56 ASASFR3 SF-IMS[11384]: [17278] sftunneld:sf_ssl [ERROR] Accept:SSL handshake failed Dec 20 22:37:56 ASASFR3 SF-IMS[11384]: [17278] sftunneld:sf_ssl [WARN] SSL Verification status: ok Dec 20 22:38:00 ASASFR3 SF-IMS[11384]: [11401] sftunneld:tunnsockets [INFO] Accepted IPv4 connection from 192.168.2.20:58792/tcp Dec 20 22:38:00 ASASFR3 SF-IMS[11384]: [17403] sftunneld:sf_ssl [INFO] Processing connection from 192.168.2.20:58792/tcp (socket 11) Dec 20 22:38:03 ASASFR3 SF-IMS[11384]: [17281] sftunneld:sf_ssl [INFO] Wait SSL_connect_nb: TIMEOUT TO COMPLETE Dec 20 22:38:03 ASASFR3 SF-IMS[11384]: [17281] sftunneld:sf_ssl [ERROR] Connect:SSL handshake failed Dec 20 22:38:03 ASASFR3 SF-IMS[11384]: [17281] sftunneld:sf_ssl [WARN] SSL Verification status: ok Dec 20 22:38:03 ASASFR3 SF-IMS[11384]: [17281] sftunneld:sf_ssl [INFO] reconnect to peer '192.168.2.20' in 300 seconds Dec 20 22:38:07 ASASFR3 SF-IMS[11384]: [11402] sftunneld:sf_peers [INFO] Peer 192.168.2.20 needs a single connection Dec 20 22:38:07 ASASFR3 SF-IMS[11384]: [11402] sftunneld:sf_connections [INFO] Start connection to : 192.168.2.20 (wait 300 seconds is up) Dec 20 22:38:07 ASASFR3 SF-IMS[11384]: [17408] sftunneld:sf_peers [INFO] Peer 192.168.2.20 needs a single connection Dec 20 22:38:07 ASASFR3 SF-IMS[11384]: [17408] sftunneld:sf_ssl [INFO] Connect to 192.168.2.20 on port 8305 - eth0 Dec 20 22:38:07 ASASFR3 SF-IMS[11384]: [17408] sftunneld:sf_ssl [INFO] Initiate IPv4 connection to 192.168.2.20 (via eth0) Dec 20 22:38:07 ASASFR3 SF-IMS[11384]: [17408] sftunneld:sf_ssl [INFO] Initiating IPv4 connection to 192.168.2.20:8305/tcp Dec 20 22:38:07 ASASFR3 SF-IMS[11384]: [17408] sftunneld:sf_ssl [INFO] Wait to connect to 8305 (IPv6): 192.168.2.20 Dec 20 22:38:07 ASASFR3 SF-IMS[11384]: [17408] sftunneld:sf_ssl [INFO] Connected to 192.168.2.20:8305 (IPv4)
Any ideas on what the issue could be here? I have rebooted the FMC as well as re-installed SFR module on the ASA and it didn't seem to help.
Any thoughts or suggestions would be greatly appreciated.
Thanks in Advance,
Matt
12-20-2018 03:00 PM - edited 12-20-2018 03:02 PM
go into your firewall box ASA
and console to sfr
give this command
configure manager delete
than again
configure manager add <FireSIGHT MC IP> <Registration Key>
than try to register the sfr in FMC again.
12-20-2018 03:02 PM
Thanks for the reply.
I've actually tried that a few different times now using different reg keys, but none made a difference.
Thanks again,
Matt
12-20-2018 03:04 PM
please could you confirm the ASA model no and ASA software, FMC software version and SFR version
12-21-2018 09:46 AM
ASA5515: ASA 5515-X with SW, 6 GE Data, 1 GE Mgmt, AC
ASA Version: 9.4(4)20
SFR Module: 6.2.3-83
FMC Server:
-Matt
12-20-2018 07:02 PM
Hi,
Check compatibility between FMC and firepower module. Most new ASA firewalls come with firepower 5.4 which is not compatible with FMC running 6.x. You will need to upgrade the firepower module using ASDM to at least 6.1 and add to FMC.
You can see the compatibility list at the following url:
https://www.cisco.com/c/en/us/td/docs/security/firepower/compatibility/firepower-compatibility.html
Thanks
John
12-21-2018 09:50 AM
12-21-2018 11:00 AM
After attempting to Register the device again, The netstat command shows the following:
FMC = 192.168.2.20
HQ ASA Primary SFR: 192.168.2.57
HQ ASA Secondary SFR: 192.168.2.58
DR ASA Primary SFR: 10.50.123.57
*The last one listed above is the one I'm trying to Register...
From the FMC VM:
admin@firepower:~$ netstat -pan | grep 8305 (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) tcp 0 0 192.168.2.20:8305 0.0.0.0:* LISTEN - tcp 0 2515 192.168.2.20:59999 10.50.123.57:8305 ESTABLISHED - tcp 0 2178 192.168.2.20:8305 10.50.123.57:50367 ESTABLISHED - tcp 0 0 192.168.2.20:54469 192.168.2.57:8305 ESTABLISHED - tcp 0 0 192.168.2.20:51725 192.168.2.58:8305 ESTABLISHED - tcp 0 0 192.168.2.20:60542 192.168.2.58:8305 ESTABLISHED - tcp 0 0 192.168.2.20:46581 192.168.2.57:8305 ESTABLISHED -
From SFR Module:
admin@ASASFR3:~$ netstat -pan | grep 8305 (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) tcp 0 0 10.50.123.57:8305 0.0.0.0:* LISTEN - tcp 0 0 10.50.123.57:50367 192.168.2.20:8305 ESTABLISHED - tcp 0 0 10.50.123.57:8305 192.168.2.20:59999 ESTABLISHED -
Here's /var/log/messages from both:
SFR Module:
Dec 21 18:45:06 ASASFR3 SF-IMS[15070]: [15078] sftunneld:sf_peers [INFO] Peer 192.168.2.20 needs a single connection
Dec 21 18:45:06 ASASFR3 SF-IMS[15070]: [15078] sftunneld:sf_connections [INFO] Start connection to : 192.168.2.20 (wait 4 seconds is up)
Dec 21 18:45:06 ASASFR3 SF-IMS[15070]: [15098] sftunneld:sf_peers [INFO] Peer 192.168.2.20 needs a single connection
Dec 21 18:45:06 ASASFR3 SF-IMS[15070]: [15098] sftunneld:sf_ssl [INFO] Connect to 192.168.2.20 on port 8305 - eth0
Dec 21 18:45:06 ASASFR3 SF-IMS[15070]: [15098] sftunneld:sf_ssl [INFO] Initiate IPv4 connection to 192.168.2.20 (via eth0)
Dec 21 18:45:06 ASASFR3 SF-IMS[15070]: [15098] sftunneld:sf_ssl [INFO] Initiating IPv4 connection to 192.168.2.20:8305/tcp
Dec 21 18:45:06 ASASFR3 SF-IMS[15070]: [15098] sftunneld:sf_ssl [INFO] Wait to connect to 8305 (IPv6): 192.168.2.20
Dec 21 18:45:06 ASASFR3 SF-IMS[15070]: [15098] sftunneld:sf_ssl [INFO] Connect to 192.168.2.20 failed on port 8305 socket 11 (Connection refused)
Dec 21 18:45:06 ASASFR3 SF-IMS[15070]: [15098] sftunneld:sf_ssl [INFO] No IPv4 connection to 192.168.2.20
Dec 21 18:45:06 ASASFR3 SF-IMS[15070]: [15098] sftunneld:sf_ssl [WARN] Unable to connect to peer '192.168.2.20'
Dec 21 18:45:06 ASASFR3 SF-IMS[15070]: [15098] sftunneld:sf_ssl [INFO] reconnect to peer '192.168.2.20' in 24 seconds
Dec 21 18:45:13 ASASFR3 SF-IMS[15070]: [15077] sftunneld:tunnsockets [INFO] Accepted IPv4 connection from 192.168.2.20:59999/tcp
Dec 21 18:45:13 ASASFR3 SF-IMS[15070]: [15101] sftunneld:sf_ssl [INFO] Processing connection from 192.168.2.20:59999/tcp (socket 11)
Dec 21 18:45:28 ASASFR3 SF-IMS[15070]: [15078] sftunneld:sf_peers [INFO] Peer 192.168.2.20 needs a single connection
Dec 21 18:45:28 ASASFR3 SF-IMS[15070]: [15078] sftunneld:sf_connections [INFO] Start connection to : 192.168.2.20 (wait 24 seconds is up)
Dec 21 18:45:28 ASASFR3 SF-IMS[15070]: [15111] sftunneld:sf_peers [INFO] Peer 192.168.2.20 needs a single connection
Dec 21 18:45:28 ASASFR3 SF-IMS[15070]: [15111] sftunneld:sf_ssl [INFO] Connect to 192.168.2.20 on port 8305 - eth0
Dec 21 18:45:28 ASASFR3 SF-IMS[15070]: [15111] sftunneld:sf_ssl [INFO] Initiate IPv4 connection to 192.168.2.20 (via eth0)
Dec 21 18:45:28 ASASFR3 SF-IMS[15070]: [15111] sftunneld:sf_ssl [INFO] Initiating IPv4 connection to 192.168.2.20:8305/tcp
Dec 21 18:45:28 ASASFR3 SF-IMS[15070]: [15111] sftunneld:sf_ssl [INFO] Wait to connect to 8305 (IPv6): 192.168.2.20
Dec 21 18:45:28 ASASFR3 SF-IMS[15070]: [15111] sftunneld:sf_ssl [INFO] Connected to 192.168.2.20:8305 (IPv4)
Dec 21 18:47:15 ASASFR3 SF-IMS[25616]: [25616] CloudAgent:CloudAgent [INFO] IPRep, time to check for updates
Dec 21 18:47:43 ASASFR3 SF-IMS[15070]: [15101] sftunneld:sf_ssl [INFO] Wait SSL_accept_nb: TIMEOUT TO COMPLETE
Dec 21 18:47:43 ASASFR3 SF-IMS[15070]: [15101] sftunneld:sf_ssl [ERROR] Accept:SSL handshake failed
Dec 21 18:47:43 ASASFR3 SF-IMS[15070]: [15101] sftunneld:sf_ssl [WARN] SSL Verification status: ok
Dec 21 18:47:47 ASASFR3 SF-IMS[15070]: [15077] sftunneld:tunnsockets [INFO] Accepted IPv4 connection from 192.168.2.20:49974/tcp
Dec 21 18:47:47 ASASFR3 SF-IMS[15070]: [15229] sftunneld:sf_ssl [INFO] Processing connection from 192.168.2.20:49974/tcp (socket 11)
Dec 21 18:47:58 ASASFR3 SF-IMS[15070]: [15111] sftunneld:sf_ssl [INFO] Wait SSL_connect_nb: TIMEOUT TO COMPLETE
Dec 21 18:47:58 ASASFR3 SF-IMS[15070]: [15111] sftunneld:sf_ssl [ERROR] Connect:SSL handshake failed
Dec 21 18:47:58 ASASFR3 SF-IMS[15070]: [15111] sftunneld:sf_ssl [WARN] SSL Verification status: ok
Dec 21 18:47:58 ASASFR3 SF-IMS[15070]: [15111] sftunneld:sf_ssl [INFO] reconnect to peer '192.168.2.20' in 300 seconds
Dec 21 18:48:02 ASASFR3 SF-IMS[15070]: [15078] sftunneld:sf_peers [INFO] Peer 192.168.2.20 needs a single connection
Dec 21 18:48:02 ASASFR3 SF-IMS[15070]: [15078] sftunneld:sf_connections [INFO] Start connection to : 192.168.2.20 (wait 300 seconds is up)
Dec 21 18:48:02 ASASFR3 SF-IMS[15070]: [15235] sftunneld:sf_peers [INFO] Peer 192.168.2.20 needs a single connection
Dec 21 18:48:02 ASASFR3 SF-IMS[15070]: [15235] sftunneld:sf_ssl [INFO] Connect to 192.168.2.20 on port 8305 - eth0
Dec 21 18:48:02 ASASFR3 SF-IMS[15070]: [15235] sftunneld:sf_ssl [INFO] Initiate IPv4 connection to 192.168.2.20 (via eth0)
Dec 21 18:48:02 ASASFR3 SF-IMS[15070]: [15235] sftunneld:sf_ssl [INFO] Initiating IPv4 connection to 192.168.2.20:8305/tcp
Dec 21 18:48:02 ASASFR3 SF-IMS[15070]: [15235] sftunneld:sf_ssl [INFO] Wait to connect to 8305 (IPv6): 192.168.2.20
Dec 21 18:48:02 ASASFR3 SF-IMS[15070]: [15235] sftunneld:sf_ssl [INFO] Connected to 192.168.2.20:8305 (IPv4)
From FMC:
admin@firepower:~$ tail -n 1000 /var/log/messages Dec 21 18:45:06 firepower SF-IMS[30493]: [30493] sfmgr:sfmanager [INFO] set peer PEER_ADD to register 10.50.123.57 Dec 21 18:45:06 firepower SF-IMS[30492]: [30492] sftunneld:sftunnel [INFO] Update Peers configuration requested from a local program (message= 8105) Dec 21 18:45:06 firepower SF-IMS[30492]: [30492] sftunneld:sf_peers [INFO] Using a 20 entry queue for 10.50.123.57 - 8104 Dec 21 18:45:06 firepower SF-IMS[30492]: [30492] sftunneld:sf_peers [INFO] Using a 20 entry queue for 10.50.123.57 - 8121 Dec 21 18:45:06 firepower SF-IMS[30492]: [30492] sftunneld:stream_file [INFO] Stream CTX initialized for 10.50.123.57 Dec 21 18:45:06 firepower SF-IMS[30492]: [30492] sftunneld:sftunnel [INFO] set peer PEER_ADD 10.50.123.57 to register Dec 21 18:45:06 firepower SF-IMS[30492]: [30492] sftunneld:sftunnel [INFO] IPv4 is 192.168.2.20 (key '192.168.2.20') on eth0 Dec 21 18:45:06 firepower SF-IMS[30492]: [30492] sftunneld:sftunnel [INFO] Local Peer supports separate events connection Dec 21 18:45:06 firepower SF-IMS[4410]: [4410] pm:process [INFO] HUPing sfmbservice Dec 21 18:45:06 firepower SF-IMS[4410]: [4410] pm:process [INFO] HUPing sfipproxy Dec 21 18:45:06 firepower SF-IMS[30494]: [30494] sfmbservice:sfmb_service [INFO] sfmbservice received SIGHUP Dec 21 18:45:06 firepower SF-IMS[30496]: [30496] ipproxy:ipproxy [INFO] Got HUP signal, re-reading configuration Dec 21 18:45:06 firepower SF-IMS[30492]: [30501] sftunneld:control_services [INFO] Successfully Send Interfaces info to peer 192.168.2.57 over eth0 Dec 21 18:45:06 firepower SF-IMS[30492]: [30501] sftunneld:sf_heartbeat [INFO] Saved SW VERSION from peer 192.168.2.57 (6.2.3) Dec 21 18:45:07 firepower SF-IMS[30492]: [30498] sftunneld:tunnsockets [INFO] Started listening on port 8305 IPv4(192.168.2.20) eth0 Dec 21 18:45:12 firepower SF-IMS[30492]: [30499] sftunneld:sf_peers [INFO] Peer 10.50.123.57 needs a single connection Dec 21 18:45:12 firepower SF-IMS[30492]: [30499] sftunneld:sf_connections [INFO] Start connection to : 10.50.123.57 (wait 0 seconds is up) Dec 21 18:45:12 firepower SF-IMS[30492]: [916] sftunneld:sf_peers [INFO] Peer 10.50.123.57 needs a single connection Dec 21 18:45:12 firepower SF-IMS[30492]: [916] sftunneld:sf_ssl [INFO] Connect to 10.50.123.57 on port 8305 - eth0 Dec 21 18:45:12 firepower SF-IMS[30492]: [916] sftunneld:sf_ssl [INFO] Initiate IPv4 connection to 10.50.123.57 (via eth0) Dec 21 18:45:12 firepower SF-IMS[30492]: [916] sftunneld:sf_ssl [INFO] Initiating IPv4 connection to 10.50.123.57:8305/tcp Dec 21 18:45:12 firepower SF-IMS[30492]: [916] sftunneld:sf_ssl [INFO] Wait to connect to 8305 (IPv6): 10.50.123.57 Dec 21 18:45:13 firepower SF-IMS[30492]: [916] sftunneld:sf_ssl [INFO] Connected to 10.50.123.57:8305 (IPv4) Dec 21 18:45:17 firepower SF-IMS[30492]: [30500] sftunneld:control_services [INFO] Successfully Send Interfaces info to peer 192.168.2.58 over eth0 Dec 21 18:45:17 firepower SF-IMS[30492]: [30500] sftunneld:sf_heartbeat [INFO] Saved SW VERSION from peer 192.168.2.58 (6.2.3) Dec 21 18:45:28 firepower SF-IMS[30492]: [30498] sftunneld:tunnsockets [INFO] Accepted IPv4 connection from 10.50.123.57:50367/tcp Dec 21 18:45:28 firepower SF-IMS[30492]: [1027] sftunneld:sf_ssl [INFO] Processing connection from 10.50.123.57:50367/tcp (socket 35) Dec 21 18:46:00 firepower SF-IMS[4410]: [4410] pm:process [INFO] Started store_whitelist_history (1094) Dec 21 18:46:00 firepower SF-IMS[4410]: [4410] pm:log [INFO] Process 'store_whitelist_history' closed output. Dec 21 18:46:12 firepower SF-IMS[4823]: [4823] CloudAgent:CloudAgent [INFO] IPRep, time to check for updates Dec 21 18:46:12 firepower SF-IMS[4823]: [4840] CloudAgent:IPReputation [INFO] The curl option for ip verify_peer=1 verifyhost=0 Dec 21 18:46:12 firepower SF-IMS[4823]: [4840] CloudAgent:IPReputation [INFO] The curl option for dns verifypeer=1 verifyhost=0 Dec 21 18:46:31 firepower Someone connected to me, receiving data... Dec 21 18:46:31 firepower sla_worker : sizeof(msg) : 8192 Dec 21 18:46:31 firepower before recv(), total_bytes_read = 0, hdr_len = 8 Dec 21 18:46:31 firepower before recv(), total_bytes_read = 8, msg_len = 10 Dec 21 18:46:31 firepower process_msg : Received IPC message type : 12 Dec 21 18:46:31 firepower Response being sent to SAM : � Dec 21 18:46:31 firepower , len(msg being sent) = 2575 Dec 21 18:46:31 firepower sla_worker : sizeof(msg) : 8192 Dec 21 18:46:31 firepower before recv(), total_bytes_read = 0, hdr_len = 8 Dec 21 18:46:31 firepower Connection closed... Dec 21 18:46:31 firepower Waiting for someone to connect to me... Dec 21 18:47:05 firepower SF-IMS[5471]: [5842] SFDataCorrelator:Correlator [INFO] Purging 1 expired IP hosts (query time: 0.003 sec.) Dec 21 18:47:08 firepower SF-IMS[30493]: [30516] sfmgr:sfmanager [INFO] Received Broadcast message route_size=132 Dec 21 18:47:09 firepower SF-IMS[30493]: [30518] sfmgr:sfmanager [INFO] Received Broadcast message route_size=132 Dec 21 18:47:43 firepower SF-IMS[30492]: [916] sftunneld:sf_ssl [INFO] Wait SSL_connect_nb: TIMEOUT TO COMPLETE Dec 21 18:47:43 firepower SF-IMS[30492]: [916] sftunneld:sf_ssl [ERROR] Connect:SSL handshake failed Dec 21 18:47:43 firepower SF-IMS[30492]: [916] sftunneld:sf_ssl [WARN] SSL Verification status: ok Dec 21 18:47:43 firepower SF-IMS[30492]: [916] sftunneld:sf_ssl [INFO] reconnect to peer '10.50.123.57' in 0 seconds Dec 21 18:47:46 firepower SF-IMS[30492]: [30499] sftunneld:sf_peers [INFO] Peer 10.50.123.57 needs a single connection Dec 21 18:47:46 firepower SF-IMS[30492]: [30499] sftunneld:sf_connections [INFO] Start connection to : 10.50.123.57 (wait 0 seconds is up) Dec 21 18:47:46 firepower SF-IMS[30492]: [1478] sftunneld:sf_peers [INFO] Peer 10.50.123.57 needs a single connection Dec 21 18:47:46 firepower SF-IMS[30492]: [1478] sftunneld:sf_ssl [INFO] Connect to 10.50.123.57 on port 8305 - eth0 Dec 21 18:47:46 firepower SF-IMS[30492]: [1478] sftunneld:sf_ssl [INFO] Initiate IPv4 connection to 10.50.123.57 (via eth0) Dec 21 18:47:46 firepower SF-IMS[30492]: [1478] sftunneld:sf_ssl [INFO] Initiating IPv4 connection to 10.50.123.57:8305/tcp Dec 21 18:47:46 firepower SF-IMS[30492]: [1478] sftunneld:sf_ssl [INFO] Wait to connect to 8305 (IPv6): 10.50.123.57 Dec 21 18:47:47 firepower SF-IMS[30492]: [1478] sftunneld:sf_ssl [INFO] Connected to 10.50.123.57:8305 (IPv4) Dec 21 18:47:58 firepower SF-IMS[30492]: [1027] sftunneld:sf_ssl [INFO] Wait SSL_accept_nb: TIMEOUT TO COMPLETE Dec 21 18:47:58 firepower SF-IMS[30492]: [1027] sftunneld:sf_ssl [ERROR] Accept:SSL handshake failed Dec 21 18:47:58 firepower SF-IMS[30492]: [1027] sftunneld:sf_ssl [WARN] SSL Verification status: ok Dec 21 18:48:02 firepower SF-IMS[30493]: [30493] sfmgr:sfmanager [INFO] Process received SIGHUP Dec 21 18:48:02 firepower SF-IMS[30492]: [30498] sftunneld:tunnsockets [INFO] Accepted IPv4 connection from 10.50.123.57:35903/tcp Dec 21 18:48:02 firepower SF-IMS[30492]: [1500] sftunneld:sf_ssl [INFO] Processing connection from 10.50.123.57:35903/tcp (socket 35) Dec 21 18:48:06 firepower sudo: www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chown www:www /var/sf/run/devcap.lock Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0) Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session closed for user root Dec 21 18:48:06 firepower sudo: www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/cp /etc/sf/device_cap.conf /etc/sf/.device_cap.conf Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0) Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session closed for user root Dec 21 18:48:06 firepower sudo: www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chmod 0664 /var/tmp/device_cap.conf Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0) Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session closed for user root Dec 21 18:48:06 firepower sudo: www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chown www:www /var/tmp/device_cap.conf Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0) Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session closed for user root Dec 21 18:48:06 firepower sudo: www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chmod 0664 /etc/sf/device_cap.conf Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0) Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session closed for user root Dec 21 18:48:06 firepower sudo: www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chown www:www /etc/sf/device_cap.conf Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0) Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session closed for user root Dec 21 18:48:06 firepower sudo: www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chown www:www /var/sf/run/devcap.lock Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0) Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session closed for user root Dec 21 18:48:06 firepower sudo: www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/cp /etc/sf/device_cap.conf /etc/sf/.device_cap.conf Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0) Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session closed for user root Dec 21 18:48:06 firepower sudo: www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chmod 0664 /var/tmp/device_cap.conf Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0) Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session closed for user root Dec 21 18:48:06 firepower sudo: www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chown www:www /var/tmp/device_cap.conf Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0) Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session closed for user root Dec 21 18:48:06 firepower sudo: www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chmod 0664 /etc/sf/device_cap.conf Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0) Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session closed for user root Dec 21 18:48:06 firepower sudo: www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chown www:www /etc/sf/device_cap.conf Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0) Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session closed for user root Dec 21 18:48:06 firepower sudo: www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chown www:www /var/sf/run/devcap.lock Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0) Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session closed for user root Dec 21 18:48:06 firepower sudo: www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/cp /etc/sf/device_cap.conf /etc/sf/.device_cap.conf Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0) Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session closed for user root Dec 21 18:48:06 firepower sudo: www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chmod 0664 /var/tmp/device_cap.conf Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0) Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session closed for user root Dec 21 18:48:07 firepower sudo: www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chown www:www /var/tmp/device_cap.conf Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0) Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session closed for user root Dec 21 18:48:07 firepower sudo: www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chmod 0664 /etc/sf/device_cap.conf Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0) Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session closed for user root Dec 21 18:48:07 firepower sudo: www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chown www:www /etc/sf/device_cap.conf Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0) Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session closed for user root Dec 21 18:48:07 firepower sudo: www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/kill -s USR1 5440 Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0) Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session closed for user root Dec 21 18:48:07 firepower sudo: www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chmod 0664 /var/sf/run/sftunnel.lock Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0) Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session closed for user root Dec 21 18:48:07 firepower sudo: www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chown www:www /var/sf/run/sftunnel.lock Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0) Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session closed for user root Dec 21 18:48:07 firepower SF-IMS[4410]: [4410] pm:process [INFO] Locking SFDataCorrelator Dec 21 18:48:07 firepower SF-IMS[5471]: [1565] SFDataCorrelator:ControlHandler [INFO] Handling control connection from sudo_user '', cmd '/usr/bin/perl /usr/local/sf/bin/ActionQueueScrape.pl', pid 1560 (uid 0, gid 0) Dec 21 18:48:07 firepower SF-IMS[5471]: [1565] SFDataCorrelator:DCEControl [INFO] DCEControlMessageReconfigure Dec 21 18:48:07 firepower SF-IMS[5471]: [1565] SFDataCorrelator:Correlator [INFO] Initialize Host limit to 50000 Dec 21 18:48:07 firepower SF-IMS[5471]: [1565] SFDataCorrelator:Correlator [INFO] Host limit set to 50000 Dec 21 18:48:07 firepower SF-IMS[5471]: [1565] SFDataCorrelator:Correlator [INFO] Initialize User limit to 50000 Dec 21 18:48:07 firepower SF-IMS[5471]: [1565] SFDataCorrelator:Correlator [INFO] User limit set to 50000 Dec 21 18:48:07 firepower SF-IMS[5471]: [1565] SFDataCorrelator:Correlator [INFO] Event Rate Limit set to 5000 Dec 21 18:48:07 firepower SF-IMS[5471]: [1565] SFDataCorrelator:DCEControl [INFO] Pausing Event handlers Dec 21 18:48:07 firepower SF-IMS[5471]: [1565] SFDataCorrelator:Correlator [INFO] DomainControl: Initialized 1 domains including 1 netmaps Dec 21 18:48:07 firepower sudo: www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chmod 0664 /var/sf/run/sftunnel.lock Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0) Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session closed for user root Dec 21 18:48:07 firepower sudo: www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chown www:www /var/sf/run/sftunnel.lock Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0) Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session closed for user root Dec 21 18:48:07 firepower sudo: www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/cp /etc/sf/sftunnel.conf /etc/sf/.sftunnel.conf Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0) Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session closed for user root Dec 21 18:48:07 firepower sudo: www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/local/sf/bin/iftool Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0) Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session closed for user root Dec 21 18:48:07 firepower sudo: www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chmod 0664 /var/tmp/sftunnel.conf Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0) Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session closed for user root Dec 21 18:48:07 firepower sudo: www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chown www:www /var/tmp/sftunnel.conf Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0) Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session closed for user root Dec 21 18:48:07 firepower SF-IMS[30493]: [30493] sfmgr:sfmanager [INFO] set peer PEER_REMOVED pending 10.50.123.57 Dec 21 18:48:07 firepower SF-IMS[30493]: [30493] sfmgr:sfmanager [INFO] free_peer 10.50.123.57. Dec 21 18:48:07 firepower SF-IMS[30492]: [30492] sftunneld:sftunnel [INFO] Update Peers configuration requested from a local program (message= 8105) Dec 21 18:48:07 firepower SF-IMS[30492]: [30492] sftunneld:sftunnel [INFO] set peer PEER_REMOVED 10.50.123.57 pending Dec 21 18:48:07 firepower SF-IMS[30492]: [30492] sftunneld:sf_peers [INFO] Free not connected peer 10.50.123.57 Dec 21 18:48:07 firepower SF-IMS[30492]: [30492] sftunneld:sf_peers [INFO] Free peer 10.50.123.57 Dec 21 18:48:07 firepower SF-IMS[30492]: [30492] sftunneld:sf_channel [INFO] >> ChannelState free_peer peer 10.50.123.57 / channelA / NONE [ msgSock & ssl_context ] << Dec 21 18:48:07 firepower SF-IMS[30492]: [30492] sftunneld:sf_channel [INFO] >> ChannelState free_peer peer 10.50.123.57 / channelB / NONE [ msgSock & ssl_context ] << Dec 21 18:48:07 firepower SF-IMS[30492]: [30492] sftunneld:stream_file [INFO] Stream CTX destroyed for 10.50.123.57 Dec 21 18:48:07 firepower SF-IMS[30492]: [30492] sftunneld:sf_peers [INFO] Free peer 10.50.123.57 on exit Dec 21 18:48:07 firepower SF-IMS[30492]: [30492] sftunneld:stream_file [INFO] Stream CTX destroyed for 10.50.123.57 Dec 21 18:48:07 firepower SF-IMS[30492]: [30492] sftunneld:sftunnel [INFO] IPv4 is 192.168.2.20 (key '192.168.2.20') on eth0 Dec 21 18:48:07 firepower SF-IMS[30492]: [30492] sftunneld:sftunnel [INFO] Local Peer supports separate events connection Dec 21 18:48:07 firepower SF-IMS[4410]: [4410] pm:process [INFO] HUPing sfmbservice Dec 21 18:48:07 firepower SF-IMS[4410]: [4410] pm:process [INFO] HUPing sfipproxy
12-22-2018 02:17 PM
came across to this link might be helpful for you
https://www.grandmetric.com/2018/04/23/troubleshoot-fmc-firepower-sensor-communication/
however, could you try to uninstall the SFR in ASA and re-install a fresh copy might it mix the issue. as i have search for this error no sucess.
sf_ssl [ERROR] Connect:SSL handshake failed
seem like could be some cipher issue between the FMC and SFR not agreeing on.
or if you have a cisco TAC open a case with cisco.
01-07-2019 09:51 AM
Sorry for the delay. With the Holidays I was out of the office for a while and then there was an issue with the SSD. After I uninstalled the sfr module and then tried to re-install, there were a bunch of read/write I/O errors showing on the ASA. So I reloaded the ASA and after it came back up, it was no longer even recognizing the ASA was attached.
So I was finally able to get someone in that location to remove and re-seat the SSD Drive and it was recognized again. So I then re-installed SFR and attempted to add the SFR module/sensor to the FMC and I am still getting the same results.
The one thing that really sticks out is the "Connect:SSL handshake failed" error message shown below, even though at one point in the log it says connection successful...
Jan 7 17:23:35 ASASFR3 SF-IMS[32353]: [32408] sftunneld:sf_ssl [INFO] Connect to 192.168.2.20 on port 8305 - eth0 Jan 7 17:23:35 ASASFR3 SF-IMS[32353]: [32408] sftunneld:sf_ssl [INFO] Initiate IPv4 connection to 192.168.2.20 (via eth0) Jan 7 17:23:35 ASASFR3 SF-IMS[32353]: [32408] sftunneld:sf_ssl [INFO] Initiating IPv4 connection to 192.168.2.20:8305/tcp Jan 7 17:23:35 ASASFR3 SF-IMS[32353]: [32408] sftunneld:sf_ssl [INFO] Wait to connect to 8305 (IPv6): 192.168.2.20 Jan 7 17:23:36 ASASFR3 SF-IMS[32353]: [32408] sftunneld:sf_ssl [INFO] Connected to 192.168.2.20:8305 (IPv4) Jan 7 17:26:05 ASASFR3 SF-IMS[32353]: [32407] sftunneld:sf_ssl [INFO] Wait SSL_accept_nb: TIMEOUT TO COMPLETE Jan 7 17:26:05 ASASFR3 SF-IMS[32353]: [32407] sftunneld:sf_ssl [ERROR] Accept:SSL handshake failed Jan 7 17:26:05 ASASFR3 SF-IMS[32353]: [32407] sftunneld:sf_ssl [WARN] SSL Verification status: ok Jan 7 17:26:06 ASASFR3 SF-IMS[32353]: [32408] sftunneld:sf_ssl [INFO] Wait SSL_connect_nb: TIMEOUT TO COMPLETE Jan 7 17:26:06 ASASFR3 SF-IMS[32353]: [32408] sftunneld:sf_ssl [ERROR] Connect:SSL handshake failed Jan 7 17:26:06 ASASFR3 SF-IMS[32353]: [32408] sftunneld:sf_ssl [WARN] SSL Verification status: ok Jan 7 17:26:06 ASASFR3 SF-IMS[32353]: [32408] sftunneld:sf_ssl [INFO] reconnect to peer '192.168.2.20' in 300 seconds
From my laptop, I am able to run the command "telnet <sfr-ip-address> 8305" and it appears to connect just fine. But, I get a connection refused when trying the telnet command to the FMC. Is 8305 only used on the sensor?
> telnet 192.168.2.20 8305 Trying 192.168.2.20... telnet: connect to address 192.168.2.20: Connection refused
Any thoughts would be greatly appreciated!
-Matt
01-07-2019 09:56 AM
Well its seem like its refusing the connect. your best bet is open a TAC case if you have a contract.
01-08-2019 08:58 AM
It could be your hard disk is faulty. As sound reading your description of the struggle with sfr.
01-07-2019 10:01 PM
Reimage SFR after re added to config-manger it will work
01-16-2019 09:00 AM
01-16-2019 09:12 AM
were you not able to open a TAC case?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide