Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
15530
Views
5
Helpful
25
Replies

Cannot Register SFR Module to FMC

Matthew Martin
Level 5
Level 5

‎12-20-2018 02:54 PM - edited ‎02-21-2020 08:35 AM

Hello All,

 

When attempting to Register a new SFR Module to our FMC I receive the message: "Could not establish a connection with device."

FMC_Error.png

I know for sure the reg key is correct and I am able to ping each device from the other without issue.

 

The FMC device is located in our HQ and the SFR Module is located across WAN in a DR location. Also, I had no problems registering 2 other SFR modules which were located in the same physical location as the FMC.

 

I tried the "telnet <fmc_ipaddress> 8305" command from the SFR Module to the FMC, and receive the following message:

admin@ASASFR3:~$ telnet 192.168.2.20 8305
Trying 192.168.2.20...
telnet: connect to address 192.168.2.20: Connection refused

 

Log from /var/log/messages shows:

admin@ASASFR3:~$ tail -f /var/log/messages
Dec 20 22:35:26 ASASFR3 SF-IMS[11384]: [11401] sftunneld:tunnsockets [INFO] Accepted IPv4 connection from 192.168.2.20:55608/tcp
Dec 20 22:35:26 ASASFR3 SF-IMS[11384]: [17278] sftunneld:sf_ssl [INFO] Processing connection from 192.168.2.20:55608/tcp (socket 11)
Dec 20 22:35:33 ASASFR3 SF-IMS[11384]: [11402] sftunneld:sf_peers [INFO] Peer 192.168.2.20 needs a single connection
Dec 20 22:35:33 ASASFR3 SF-IMS[11384]: [11402] sftunneld:sf_connections [INFO] Start connection to : 192.168.2.20 (wait 44 seconds is up)
Dec 20 22:35:33 ASASFR3 SF-IMS[11384]: [17281] sftunneld:sf_peers [INFO] Peer 192.168.2.20 needs a single connection
Dec 20 22:35:33 ASASFR3 SF-IMS[11384]: [17281] sftunneld:sf_ssl [INFO] Connect to 192.168.2.20 on port 8305 - eth0
Dec 20 22:35:33 ASASFR3 SF-IMS[11384]: [17281] sftunneld:sf_ssl [INFO] Initiate IPv4 connection to 192.168.2.20 (via eth0)
Dec 20 22:35:33 ASASFR3 SF-IMS[11384]: [17281] sftunneld:sf_ssl [INFO] Initiating IPv4 connection to 192.168.2.20:8305/tcp
Dec 20 22:35:33 ASASFR3 SF-IMS[11384]: [17281] sftunneld:sf_ssl [INFO] Wait to connect to 8305 (IPv6): 192.168.2.20
Dec 20 22:35:33 ASASFR3 SF-IMS[11384]: [17281] sftunneld:sf_ssl [INFO] Connected to 192.168.2.20:8305 (IPv4)
Dec 20 22:37:10 ASASFR3 SF-IMS[25616]: [25616] CloudAgent:CloudAgent [INFO] IPRep, time to check for updates
Dec 20 22:37:10 ASASFR3 SF-IMS[25616]: [25616] CloudAgent:CloudAgent [INFO] ClamUpd, time to check for updates
Dec 20 22:37:56 ASASFR3 SF-IMS[11384]: [17278] sftunneld:sf_ssl [INFO] Wait SSL_accept_nb: TIMEOUT TO COMPLETE
Dec 20 22:37:56 ASASFR3 SF-IMS[11384]: [17278] sftunneld:sf_ssl [ERROR] Accept:SSL handshake failed
Dec 20 22:37:56 ASASFR3 SF-IMS[11384]: [17278] sftunneld:sf_ssl [WARN] SSL Verification status: ok
Dec 20 22:38:00 ASASFR3 SF-IMS[11384]: [11401] sftunneld:tunnsockets [INFO] Accepted IPv4 connection from 192.168.2.20:58792/tcp
Dec 20 22:38:00 ASASFR3 SF-IMS[11384]: [17403] sftunneld:sf_ssl [INFO] Processing connection from 192.168.2.20:58792/tcp (socket 11)
Dec 20 22:38:03 ASASFR3 SF-IMS[11384]: [17281] sftunneld:sf_ssl [INFO] Wait SSL_connect_nb: TIMEOUT TO COMPLETE
Dec 20 22:38:03 ASASFR3 SF-IMS[11384]: [17281] sftunneld:sf_ssl [ERROR] Connect:SSL handshake failed
Dec 20 22:38:03 ASASFR3 SF-IMS[11384]: [17281] sftunneld:sf_ssl [WARN] SSL Verification status: ok
Dec 20 22:38:03 ASASFR3 SF-IMS[11384]: [17281] sftunneld:sf_ssl [INFO] reconnect to peer '192.168.2.20' in 300 seconds
Dec 20 22:38:07 ASASFR3 SF-IMS[11384]: [11402] sftunneld:sf_peers [INFO] Peer 192.168.2.20 needs a single connection
Dec 20 22:38:07 ASASFR3 SF-IMS[11384]: [11402] sftunneld:sf_connections [INFO] Start connection to : 192.168.2.20 (wait 300 seconds is up)
Dec 20 22:38:07 ASASFR3 SF-IMS[11384]: [17408] sftunneld:sf_peers [INFO] Peer 192.168.2.20 needs a single connection
Dec 20 22:38:07 ASASFR3 SF-IMS[11384]: [17408] sftunneld:sf_ssl [INFO] Connect to 192.168.2.20 on port 8305 - eth0
Dec 20 22:38:07 ASASFR3 SF-IMS[11384]: [17408] sftunneld:sf_ssl [INFO] Initiate IPv4 connection to 192.168.2.20 (via eth0)
Dec 20 22:38:07 ASASFR3 SF-IMS[11384]: [17408] sftunneld:sf_ssl [INFO] Initiating IPv4 connection to 192.168.2.20:8305/tcp
Dec 20 22:38:07 ASASFR3 SF-IMS[11384]: [17408] sftunneld:sf_ssl [INFO] Wait to connect to 8305 (IPv6): 192.168.2.20
Dec 20 22:38:07 ASASFR3 SF-IMS[11384]: [17408] sftunneld:sf_ssl [INFO] Connected to 192.168.2.20:8305 (IPv4)

 

Any ideas on what the issue could be here? I have rebooted the FMC as well as re-installed SFR module on the ASA and it didn't seem to help.

 

Any thoughts or suggestions would be greatly appreciated.

 

Thanks in Advance,

Matt

1 person had this problem
0 Helpful
25 Replies 25

Sheraz.Salim
VIP
VIP

‎12-20-2018 03:00 PM - edited ‎12-20-2018 03:02 PM

go into your firewall box ASA

 

and console to sfr

give this command

 

configure manager delete

than again 

configure manager add <FireSIGHT MC IP> <Registration Key>

 than try to register the sfr in FMC again.

please do not forget to rate.
0 Helpful

Matthew Martin
Level 5
Level 5
In response to Sheraz.Salim

‎12-20-2018 03:02 PM

Thanks for the reply.

 

I've actually tried that a few different times now using different reg keys, but none made a difference.

 

Thanks again,

Matt

0 Helpful

Sheraz.Salim
VIP
VIP
In response to Matthew Martin

‎12-20-2018 03:04 PM

please could you confirm the ASA model no and ASA software, FMC software version and SFR version

please do not forget to rate.
0 Helpful

Matthew Martin
Level 5
Level 5
In response to Sheraz.Salim

‎12-21-2018 09:46 AM

ASA5515: ASA 5515-X with SW, 6 GE Data, 1 GE Mgmt, AC

ASA Version: 9.4(4)20

 

SFR Module: 6.2.3-83

 

FMC Server:

FMC.png

 

-Matt

0 Helpful

johnd2310
Level 8
Level 8
In response to Matthew Martin

‎12-20-2018 07:02 PM

Hi,

Check compatibility between FMC and firepower module. Most new ASA firewalls come with firepower 5.4 which is not compatible with FMC running  6.x. You will need to upgrade the firepower module using ASDM to at least 6.1 and add to FMC.

 

You can see the compatibility list at the following url:

https://www.cisco.com/c/en/us/td/docs/security/firepower/compatibility/firepower-compatibility.html

 

Thanks

John

**Please rate posts you find helpful**
0 Helpful

Matthew Martin
Level 5
Level 5
In response to johnd2310

‎12-21-2018 09:50 AM

Thanks for the reply John.

I think I'm ok in terms of compatibility. SFR is running 6.2.3-83 and FMC is running 6.2.3.6.

-Matt
0 Helpful

Matthew Martin
Level 5
Level 5
In response to johnd2310

‎12-21-2018 11:00 AM

After attempting to Register the device again, The netstat command shows the following:

 

FMC = 192.168.2.20

HQ ASA Primary SFR: 192.168.2.57

HQ ASA Secondary SFR: 192.168.2.58

DR ASA Primary SFR: 10.50.123.57

*The last one listed above is the one I'm trying to Register...

 

From the FMC VM:

 

admin@firepower:~$ netstat -pan | grep 8305
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp        0      0 192.168.2.20:8305       0.0.0.0:*               LISTEN      -                   
tcp        0   2515 192.168.2.20:59999      10.50.123.57:8305       ESTABLISHED -                   
tcp        0   2178 192.168.2.20:8305       10.50.123.57:50367      ESTABLISHED -                   
tcp        0      0 192.168.2.20:54469      192.168.2.57:8305       ESTABLISHED -                   
tcp        0      0 192.168.2.20:51725      192.168.2.58:8305       ESTABLISHED -                   
tcp        0      0 192.168.2.20:60542      192.168.2.58:8305       ESTABLISHED -                   
tcp        0      0 192.168.2.20:46581      192.168.2.57:8305       ESTABLISHED -

 

 

From SFR Module:

 

admin@ASASFR3:~$ netstat -pan | grep 8305
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp        0      0 10.50.123.57:8305       0.0.0.0:*               LISTEN      -                   
tcp        0      0 10.50.123.57:50367      192.168.2.20:8305       ESTABLISHED -                   
tcp        0      0 10.50.123.57:8305       192.168.2.20:59999      ESTABLISHED -

 

 

Here's /var/log/messages from both:

 

 

SFR Module:

 

Dec 21 18:45:06 ASASFR3 SF-IMS[15070]: [15078] sftunneld:sf_peers [INFO] Peer 192.168.2.20 needs a single connection
Dec 21 18:45:06 ASASFR3 SF-IMS[15070]: [15078] sftunneld:sf_connections [INFO] Start connection to : 192.168.2.20 (wait 4 seconds is up)
Dec 21 18:45:06 ASASFR3 SF-IMS[15070]: [15098] sftunneld:sf_peers [INFO] Peer 192.168.2.20 needs a single connection
Dec 21 18:45:06 ASASFR3 SF-IMS[15070]: [15098] sftunneld:sf_ssl [INFO] Connect to 192.168.2.20 on port 8305 - eth0
Dec 21 18:45:06 ASASFR3 SF-IMS[15070]: [15098] sftunneld:sf_ssl [INFO] Initiate IPv4 connection to 192.168.2.20 (via eth0)
Dec 21 18:45:06 ASASFR3 SF-IMS[15070]: [15098] sftunneld:sf_ssl [INFO] Initiating IPv4 connection to 192.168.2.20:8305/tcp
Dec 21 18:45:06 ASASFR3 SF-IMS[15070]: [15098] sftunneld:sf_ssl [INFO] Wait to connect to 8305 (IPv6): 192.168.2.20
Dec 21 18:45:06 ASASFR3 SF-IMS[15070]: [15098] sftunneld:sf_ssl [INFO] Connect to 192.168.2.20 failed on port 8305 socket 11 (Connection refused)
Dec 21 18:45:06 ASASFR3 SF-IMS[15070]: [15098] sftunneld:sf_ssl [INFO] No IPv4 connection to 192.168.2.20
Dec 21 18:45:06 ASASFR3 SF-IMS[15070]: [15098] sftunneld:sf_ssl [WARN] Unable to connect to peer '192.168.2.20'
Dec 21 18:45:06 ASASFR3 SF-IMS[15070]: [15098] sftunneld:sf_ssl [INFO] reconnect to peer '192.168.2.20' in 24 seconds
Dec 21 18:45:13 ASASFR3 SF-IMS[15070]: [15077] sftunneld:tunnsockets [INFO] Accepted IPv4 connection from 192.168.2.20:59999/tcp
Dec 21 18:45:13 ASASFR3 SF-IMS[15070]: [15101] sftunneld:sf_ssl [INFO] Processing connection from 192.168.2.20:59999/tcp (socket 11)
Dec 21 18:45:28 ASASFR3 SF-IMS[15070]: [15078] sftunneld:sf_peers [INFO] Peer 192.168.2.20 needs a single connection
Dec 21 18:45:28 ASASFR3 SF-IMS[15070]: [15078] sftunneld:sf_connections [INFO] Start connection to : 192.168.2.20 (wait 24 seconds is up)
Dec 21 18:45:28 ASASFR3 SF-IMS[15070]: [15111] sftunneld:sf_peers [INFO] Peer 192.168.2.20 needs a single connection
Dec 21 18:45:28 ASASFR3 SF-IMS[15070]: [15111] sftunneld:sf_ssl [INFO] Connect to 192.168.2.20 on port 8305 - eth0
Dec 21 18:45:28 ASASFR3 SF-IMS[15070]: [15111] sftunneld:sf_ssl [INFO] Initiate IPv4 connection to 192.168.2.20 (via eth0)
Dec 21 18:45:28 ASASFR3 SF-IMS[15070]: [15111] sftunneld:sf_ssl [INFO] Initiating IPv4 connection to 192.168.2.20:8305/tcp
Dec 21 18:45:28 ASASFR3 SF-IMS[15070]: [15111] sftunneld:sf_ssl [INFO] Wait to connect to 8305 (IPv6): 192.168.2.20
Dec 21 18:45:28 ASASFR3 SF-IMS[15070]: [15111] sftunneld:sf_ssl [INFO] Connected to 192.168.2.20:8305 (IPv4)
Dec 21 18:47:15 ASASFR3 SF-IMS[25616]: [25616] CloudAgent:CloudAgent [INFO] IPRep, time to check for updates
Dec 21 18:47:43 ASASFR3 SF-IMS[15070]: [15101] sftunneld:sf_ssl [INFO] Wait SSL_accept_nb: TIMEOUT TO COMPLETE
Dec 21 18:47:43 ASASFR3 SF-IMS[15070]: [15101] sftunneld:sf_ssl [ERROR] Accept:SSL handshake failed
Dec 21 18:47:43 ASASFR3 SF-IMS[15070]: [15101] sftunneld:sf_ssl [WARN] SSL Verification status: ok
Dec 21 18:47:47 ASASFR3 SF-IMS[15070]: [15077] sftunneld:tunnsockets [INFO] Accepted IPv4 connection from 192.168.2.20:49974/tcp
Dec 21 18:47:47 ASASFR3 SF-IMS[15070]: [15229] sftunneld:sf_ssl [INFO] Processing connection from 192.168.2.20:49974/tcp (socket 11)
Dec 21 18:47:58 ASASFR3 SF-IMS[15070]: [15111] sftunneld:sf_ssl [INFO] Wait SSL_connect_nb: TIMEOUT TO COMPLETE
Dec 21 18:47:58 ASASFR3 SF-IMS[15070]: [15111] sftunneld:sf_ssl [ERROR] Connect:SSL handshake failed
Dec 21 18:47:58 ASASFR3 SF-IMS[15070]: [15111] sftunneld:sf_ssl [WARN] SSL Verification status: ok
Dec 21 18:47:58 ASASFR3 SF-IMS[15070]: [15111] sftunneld:sf_ssl [INFO] reconnect to peer '192.168.2.20' in 300 seconds
Dec 21 18:48:02 ASASFR3 SF-IMS[15070]: [15078] sftunneld:sf_peers [INFO] Peer 192.168.2.20 needs a single connection
Dec 21 18:48:02 ASASFR3 SF-IMS[15070]: [15078] sftunneld:sf_connections [INFO] Start connection to : 192.168.2.20 (wait 300 seconds is up)
Dec 21 18:48:02 ASASFR3 SF-IMS[15070]: [15235] sftunneld:sf_peers [INFO] Peer 192.168.2.20 needs a single connection
Dec 21 18:48:02 ASASFR3 SF-IMS[15070]: [15235] sftunneld:sf_ssl [INFO] Connect to 192.168.2.20 on port 8305 - eth0
Dec 21 18:48:02 ASASFR3 SF-IMS[15070]: [15235] sftunneld:sf_ssl [INFO] Initiate IPv4 connection to 192.168.2.20 (via eth0)
Dec 21 18:48:02 ASASFR3 SF-IMS[15070]: [15235] sftunneld:sf_ssl [INFO] Initiating IPv4 connection to 192.168.2.20:8305/tcp
Dec 21 18:48:02 ASASFR3 SF-IMS[15070]: [15235] sftunneld:sf_ssl [INFO] Wait to connect to 8305 (IPv6): 192.168.2.20
Dec 21 18:48:02 ASASFR3 SF-IMS[15070]: [15235] sftunneld:sf_ssl [INFO] Connected to 192.168.2.20:8305 (IPv4)

 

 

From FMC:

 

admin@firepower:~$ tail -n 1000 /var/log/messages
Dec 21 18:45:06 firepower SF-IMS[30493]: [30493] sfmgr:sfmanager [INFO] set peer PEER_ADD to register 10.50.123.57
Dec 21 18:45:06 firepower SF-IMS[30492]: [30492] sftunneld:sftunnel [INFO] Update Peers configuration requested from a local program (message= 8105)
Dec 21 18:45:06 firepower SF-IMS[30492]: [30492] sftunneld:sf_peers [INFO] Using a 20 entry queue for 10.50.123.57 - 8104
Dec 21 18:45:06 firepower SF-IMS[30492]: [30492] sftunneld:sf_peers [INFO] Using a 20 entry queue for 10.50.123.57 - 8121
Dec 21 18:45:06 firepower SF-IMS[30492]: [30492] sftunneld:stream_file [INFO] Stream CTX initialized for 10.50.123.57
Dec 21 18:45:06 firepower SF-IMS[30492]: [30492] sftunneld:sftunnel [INFO] set peer PEER_ADD 10.50.123.57 to register
Dec 21 18:45:06 firepower SF-IMS[30492]: [30492] sftunneld:sftunnel [INFO] IPv4 is  192.168.2.20  (key '192.168.2.20') on eth0
Dec 21 18:45:06 firepower SF-IMS[30492]: [30492] sftunneld:sftunnel [INFO] Local Peer supports separate events connection
Dec 21 18:45:06 firepower SF-IMS[4410]: [4410] pm:process [INFO] HUPing sfmbservice
Dec 21 18:45:06 firepower SF-IMS[4410]: [4410] pm:process [INFO] HUPing sfipproxy
Dec 21 18:45:06 firepower SF-IMS[30494]: [30494] sfmbservice:sfmb_service [INFO] sfmbservice received SIGHUP
Dec 21 18:45:06 firepower SF-IMS[30496]: [30496] ipproxy:ipproxy [INFO] Got HUP signal, re-reading configuration
Dec 21 18:45:06 firepower SF-IMS[30492]: [30501] sftunneld:control_services [INFO] Successfully Send Interfaces info to peer 192.168.2.57 over eth0
Dec 21 18:45:06 firepower SF-IMS[30492]: [30501] sftunneld:sf_heartbeat [INFO] Saved SW VERSION from peer 192.168.2.57 (6.2.3)
Dec 21 18:45:07 firepower SF-IMS[30492]: [30498] sftunneld:tunnsockets [INFO] Started listening on port 8305 IPv4(192.168.2.20) eth0
Dec 21 18:45:12 firepower SF-IMS[30492]: [30499] sftunneld:sf_peers [INFO] Peer 10.50.123.57 needs a single connection
Dec 21 18:45:12 firepower SF-IMS[30492]: [30499] sftunneld:sf_connections [INFO] Start connection to : 10.50.123.57 (wait 0 seconds is up)
Dec 21 18:45:12 firepower SF-IMS[30492]: [916] sftunneld:sf_peers [INFO] Peer 10.50.123.57 needs a single connection
Dec 21 18:45:12 firepower SF-IMS[30492]: [916] sftunneld:sf_ssl [INFO] Connect to 10.50.123.57 on port 8305 - eth0
Dec 21 18:45:12 firepower SF-IMS[30492]: [916] sftunneld:sf_ssl [INFO] Initiate IPv4 connection to 10.50.123.57 (via eth0)
Dec 21 18:45:12 firepower SF-IMS[30492]: [916] sftunneld:sf_ssl [INFO] Initiating IPv4 connection to 10.50.123.57:8305/tcp
Dec 21 18:45:12 firepower SF-IMS[30492]: [916] sftunneld:sf_ssl [INFO] Wait to connect to 8305 (IPv6): 10.50.123.57
Dec 21 18:45:13 firepower SF-IMS[30492]: [916] sftunneld:sf_ssl [INFO] Connected to 10.50.123.57:8305 (IPv4)
Dec 21 18:45:17 firepower SF-IMS[30492]: [30500] sftunneld:control_services [INFO] Successfully Send Interfaces info to peer 192.168.2.58 over eth0
Dec 21 18:45:17 firepower SF-IMS[30492]: [30500] sftunneld:sf_heartbeat [INFO] Saved SW VERSION from peer 192.168.2.58 (6.2.3)
Dec 21 18:45:28 firepower SF-IMS[30492]: [30498] sftunneld:tunnsockets [INFO] Accepted IPv4 connection from 10.50.123.57:50367/tcp
Dec 21 18:45:28 firepower SF-IMS[30492]: [1027] sftunneld:sf_ssl [INFO] Processing connection from 10.50.123.57:50367/tcp (socket 35)
Dec 21 18:46:00 firepower SF-IMS[4410]: [4410] pm:process [INFO] Started store_whitelist_history (1094)
Dec 21 18:46:00 firepower SF-IMS[4410]: [4410] pm:log [INFO] Process 'store_whitelist_history' closed output.
Dec 21 18:46:12 firepower SF-IMS[4823]: [4823] CloudAgent:CloudAgent [INFO] IPRep, time to check for updates
Dec 21 18:46:12 firepower SF-IMS[4823]: [4840] CloudAgent:IPReputation [INFO] The curl option for ip  verify_peer=1  verifyhost=0 
Dec 21 18:46:12 firepower SF-IMS[4823]: [4840] CloudAgent:IPReputation [INFO] The curl option for dns verifypeer=1    verifyhost=0
Dec 21 18:46:31 firepower Someone connected to me, receiving data...
Dec 21 18:46:31 firepower sla_worker : sizeof(msg) : 8192
Dec 21 18:46:31 firepower before recv(), total_bytes_read = 0, hdr_len = 8
Dec 21 18:46:31 firepower before recv(), total_bytes_read = 8, msg_len = 10
Dec 21 18:46:31 firepower process_msg : Received IPC message type : 12
Dec 21 18:46:31 firepower Response being sent to SAM : �
Dec 21 18:46:31 firepower , len(msg being sent) = 2575
Dec 21 18:46:31 firepower sla_worker : sizeof(msg) : 8192
Dec 21 18:46:31 firepower before recv(), total_bytes_read = 0, hdr_len = 8
Dec 21 18:46:31 firepower Connection closed...
Dec 21 18:46:31 firepower Waiting for someone to connect to me...
Dec 21 18:47:05 firepower SF-IMS[5471]: [5842] SFDataCorrelator:Correlator [INFO] Purging 1 expired IP hosts (query time: 0.003 sec.)
Dec 21 18:47:08 firepower SF-IMS[30493]: [30516] sfmgr:sfmanager [INFO] Received Broadcast message route_size=132
Dec 21 18:47:09 firepower SF-IMS[30493]: [30518] sfmgr:sfmanager [INFO] Received Broadcast message route_size=132
Dec 21 18:47:43 firepower SF-IMS[30492]: [916] sftunneld:sf_ssl [INFO] Wait SSL_connect_nb: TIMEOUT TO COMPLETE
Dec 21 18:47:43 firepower SF-IMS[30492]: [916] sftunneld:sf_ssl [ERROR] Connect:SSL handshake failed
Dec 21 18:47:43 firepower SF-IMS[30492]: [916] sftunneld:sf_ssl [WARN] SSL Verification status: ok
Dec 21 18:47:43 firepower SF-IMS[30492]: [916] sftunneld:sf_ssl [INFO] reconnect to peer '10.50.123.57' in 0 seconds
Dec 21 18:47:46 firepower SF-IMS[30492]: [30499] sftunneld:sf_peers [INFO] Peer 10.50.123.57 needs a single connection
Dec 21 18:47:46 firepower SF-IMS[30492]: [30499] sftunneld:sf_connections [INFO] Start connection to : 10.50.123.57 (wait 0 seconds is up)
Dec 21 18:47:46 firepower SF-IMS[30492]: [1478] sftunneld:sf_peers [INFO] Peer 10.50.123.57 needs a single connection
Dec 21 18:47:46 firepower SF-IMS[30492]: [1478] sftunneld:sf_ssl [INFO] Connect to 10.50.123.57 on port 8305 - eth0
Dec 21 18:47:46 firepower SF-IMS[30492]: [1478] sftunneld:sf_ssl [INFO] Initiate IPv4 connection to 10.50.123.57 (via eth0)
Dec 21 18:47:46 firepower SF-IMS[30492]: [1478] sftunneld:sf_ssl [INFO] Initiating IPv4 connection to 10.50.123.57:8305/tcp
Dec 21 18:47:46 firepower SF-IMS[30492]: [1478] sftunneld:sf_ssl [INFO] Wait to connect to 8305 (IPv6): 10.50.123.57
Dec 21 18:47:47 firepower SF-IMS[30492]: [1478] sftunneld:sf_ssl [INFO] Connected to 10.50.123.57:8305 (IPv4)
Dec 21 18:47:58 firepower SF-IMS[30492]: [1027] sftunneld:sf_ssl [INFO] Wait SSL_accept_nb: TIMEOUT TO COMPLETE
Dec 21 18:47:58 firepower SF-IMS[30492]: [1027] sftunneld:sf_ssl [ERROR] Accept:SSL handshake failed
Dec 21 18:47:58 firepower SF-IMS[30492]: [1027] sftunneld:sf_ssl [WARN] SSL Verification status: ok
Dec 21 18:48:02 firepower SF-IMS[30493]: [30493] sfmgr:sfmanager [INFO] Process received SIGHUP
Dec 21 18:48:02 firepower SF-IMS[30492]: [30498] sftunneld:tunnsockets [INFO] Accepted IPv4 connection from 10.50.123.57:35903/tcp
Dec 21 18:48:02 firepower SF-IMS[30492]: [1500] sftunneld:sf_ssl [INFO] Processing connection from 10.50.123.57:35903/tcp (socket 35)
Dec 21 18:48:06 firepower sudo:      www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chown www:www /var/sf/run/devcap.lock
Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session closed for user root
Dec 21 18:48:06 firepower sudo:      www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/cp /etc/sf/device_cap.conf /etc/sf/.device_cap.conf
Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session closed for user root
Dec 21 18:48:06 firepower sudo:      www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chmod 0664 /var/tmp/device_cap.conf
Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session closed for user root
Dec 21 18:48:06 firepower sudo:      www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chown www:www /var/tmp/device_cap.conf
Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session closed for user root
Dec 21 18:48:06 firepower sudo:      www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chmod 0664 /etc/sf/device_cap.conf
Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session closed for user root
Dec 21 18:48:06 firepower sudo:      www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chown www:www /etc/sf/device_cap.conf
Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session closed for user root
Dec 21 18:48:06 firepower sudo:      www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chown www:www /var/sf/run/devcap.lock
Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session closed for user root
Dec 21 18:48:06 firepower sudo:      www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/cp /etc/sf/device_cap.conf /etc/sf/.device_cap.conf
Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session closed for user root
Dec 21 18:48:06 firepower sudo:      www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chmod 0664 /var/tmp/device_cap.conf
Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session closed for user root
Dec 21 18:48:06 firepower sudo:      www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chown www:www /var/tmp/device_cap.conf
Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session closed for user root
Dec 21 18:48:06 firepower sudo:      www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chmod 0664 /etc/sf/device_cap.conf
Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session closed for user root
Dec 21 18:48:06 firepower sudo:      www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chown www:www /etc/sf/device_cap.conf
Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session closed for user root
Dec 21 18:48:06 firepower sudo:      www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chown www:www /var/sf/run/devcap.lock
Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session closed for user root
Dec 21 18:48:06 firepower sudo:      www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/cp /etc/sf/device_cap.conf /etc/sf/.device_cap.conf
Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session closed for user root
Dec 21 18:48:06 firepower sudo:      www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chmod 0664 /var/tmp/device_cap.conf
Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec 21 18:48:06 firepower sudo: pam_unix(sudo:session): session closed for user root
Dec 21 18:48:07 firepower sudo:      www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chown www:www /var/tmp/device_cap.conf
Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session closed for user root
Dec 21 18:48:07 firepower sudo:      www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chmod 0664 /etc/sf/device_cap.conf
Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session closed for user root
Dec 21 18:48:07 firepower sudo:      www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chown www:www /etc/sf/device_cap.conf
Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session closed for user root
Dec 21 18:48:07 firepower sudo:      www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/kill -s USR1 5440
Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session closed for user root
Dec 21 18:48:07 firepower sudo:      www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chmod 0664 /var/sf/run/sftunnel.lock
Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session closed for user root
Dec 21 18:48:07 firepower sudo:      www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chown www:www /var/sf/run/sftunnel.lock
Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session closed for user root
Dec 21 18:48:07 firepower SF-IMS[4410]: [4410] pm:process [INFO] Locking SFDataCorrelator
Dec 21 18:48:07 firepower SF-IMS[5471]: [1565] SFDataCorrelator:ControlHandler [INFO] Handling control connection from sudo_user '', cmd '/usr/bin/perl /usr/local/sf/bin/ActionQueueScrape.pl', pid 1560 (uid 0, gid 0)
Dec 21 18:48:07 firepower SF-IMS[5471]: [1565] SFDataCorrelator:DCEControl [INFO] DCEControlMessageReconfigure
Dec 21 18:48:07 firepower SF-IMS[5471]: [1565] SFDataCorrelator:Correlator [INFO] Initialize Host limit to 50000
Dec 21 18:48:07 firepower SF-IMS[5471]: [1565] SFDataCorrelator:Correlator [INFO] Host limit set to 50000
Dec 21 18:48:07 firepower SF-IMS[5471]: [1565] SFDataCorrelator:Correlator [INFO] Initialize User limit to 50000
Dec 21 18:48:07 firepower SF-IMS[5471]: [1565] SFDataCorrelator:Correlator [INFO] User limit set to 50000
Dec 21 18:48:07 firepower SF-IMS[5471]: [1565] SFDataCorrelator:Correlator [INFO] Event Rate Limit set to 5000
Dec 21 18:48:07 firepower SF-IMS[5471]: [1565] SFDataCorrelator:DCEControl [INFO] Pausing Event handlers
Dec 21 18:48:07 firepower SF-IMS[5471]: [1565] SFDataCorrelator:Correlator [INFO] DomainControl: Initialized 1 domains including 1 netmaps
Dec 21 18:48:07 firepower sudo:      www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chmod 0664 /var/sf/run/sftunnel.lock
Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session closed for user root
Dec 21 18:48:07 firepower sudo:      www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chown www:www /var/sf/run/sftunnel.lock
Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session closed for user root
Dec 21 18:48:07 firepower sudo:      www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/cp /etc/sf/sftunnel.conf /etc/sf/.sftunnel.conf
Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session closed for user root
Dec 21 18:48:07 firepower sudo:      www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/local/sf/bin/iftool
Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session closed for user root
Dec 21 18:48:07 firepower sudo:      www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chmod 0664 /var/tmp/sftunnel.conf
Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session closed for user root
Dec 21 18:48:07 firepower sudo:      www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chown www:www /var/tmp/sftunnel.conf
Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec 21 18:48:07 firepower sudo: pam_unix(sudo:session): session closed for user root
Dec 21 18:48:07 firepower SF-IMS[30493]: [30493] sfmgr:sfmanager [INFO] set peer PEER_REMOVED pending 10.50.123.57
Dec 21 18:48:07 firepower SF-IMS[30493]: [30493] sfmgr:sfmanager [INFO] free_peer 10.50.123.57.
Dec 21 18:48:07 firepower SF-IMS[30492]: [30492] sftunneld:sftunnel [INFO] Update Peers configuration requested from a local program (message= 8105)
Dec 21 18:48:07 firepower SF-IMS[30492]: [30492] sftunneld:sftunnel [INFO] set peer PEER_REMOVED 10.50.123.57 pending
Dec 21 18:48:07 firepower SF-IMS[30492]: [30492] sftunneld:sf_peers [INFO] Free not connected peer 10.50.123.57
Dec 21 18:48:07 firepower SF-IMS[30492]: [30492] sftunneld:sf_peers [INFO] Free peer 10.50.123.57 
Dec 21 18:48:07 firepower SF-IMS[30492]: [30492] sftunneld:sf_channel [INFO] >> ChannelState free_peer peer 10.50.123.57 / channelA / NONE [ msgSock & ssl_context ] <<
Dec 21 18:48:07 firepower SF-IMS[30492]: [30492] sftunneld:sf_channel [INFO] >> ChannelState free_peer peer 10.50.123.57 / channelB / NONE [ msgSock & ssl_context ] <<
Dec 21 18:48:07 firepower SF-IMS[30492]: [30492] sftunneld:stream_file [INFO] Stream CTX destroyed for 10.50.123.57
Dec 21 18:48:07 firepower SF-IMS[30492]: [30492] sftunneld:sf_peers [INFO] Free peer 10.50.123.57 on exit
Dec 21 18:48:07 firepower SF-IMS[30492]: [30492] sftunneld:stream_file [INFO] Stream CTX destroyed for 10.50.123.57
Dec 21 18:48:07 firepower SF-IMS[30492]: [30492] sftunneld:sftunnel [INFO] IPv4 is  192.168.2.20  (key '192.168.2.20') on eth0
Dec 21 18:48:07 firepower SF-IMS[30492]: [30492] sftunneld:sftunnel [INFO] Local Peer supports separate events connection
Dec 21 18:48:07 firepower SF-IMS[4410]: [4410] pm:process [INFO] HUPing sfmbservice
Dec 21 18:48:07 firepower SF-IMS[4410]: [4410] pm:process [INFO] HUPing sfipproxy

 

 

0 Helpful

Sheraz.Salim
VIP
VIP
In response to Matthew Martin

‎12-22-2018 02:17 PM

came across to this link might be helpful for you

 

https://www.grandmetric.com/2018/04/23/troubleshoot-fmc-firepower-sensor-communication/

 

however, could you try to uninstall the SFR in ASA and re-install a fresh copy might it mix the issue. as i have search for this error no sucess.

sf_ssl [ERROR] Connect:SSL handshake failed 

 

seem like could be some cipher issue between the FMC and SFR not agreeing on.

 

or if you have a cisco TAC open a case with cisco.

please do not forget to rate.
0 Helpful

Matthew Martin
Level 5
Level 5
In response to Sheraz.Salim

‎01-07-2019 09:51 AM

Sorry for the delay. With the Holidays I was out of the office for a while and then there was an issue with the SSD. After I uninstalled the sfr module and then tried to re-install, there were a bunch of read/write I/O errors showing on the ASA. So I reloaded the ASA and after it came back up, it was no longer even recognizing the ASA was attached.

 

So I was finally able to get someone in that location to remove and re-seat the SSD Drive and it was recognized again. So I then re-installed SFR and attempted to add the SFR module/sensor to the FMC and I am still getting the same results.

 

The one thing that really sticks out is the "Connect:SSL handshake failed" error message shown below, even though at one point in the log it says connection successful...

Jan  7 17:23:35 ASASFR3 SF-IMS[32353]: [32408] sftunneld:sf_ssl [INFO] Connect to 192.168.2.20 on port 8305 - eth0
Jan  7 17:23:35 ASASFR3 SF-IMS[32353]: [32408] sftunneld:sf_ssl [INFO] Initiate IPv4 connection to 192.168.2.20 (via eth0)
Jan  7 17:23:35 ASASFR3 SF-IMS[32353]: [32408] sftunneld:sf_ssl [INFO] Initiating IPv4 connection to 192.168.2.20:8305/tcp
Jan  7 17:23:35 ASASFR3 SF-IMS[32353]: [32408] sftunneld:sf_ssl [INFO] Wait to connect to 8305 (IPv6): 192.168.2.20
Jan  7 17:23:36 ASASFR3 SF-IMS[32353]: [32408] sftunneld:sf_ssl [INFO] Connected to 192.168.2.20:8305 (IPv4)
Jan  7 17:26:05 ASASFR3 SF-IMS[32353]: [32407] sftunneld:sf_ssl [INFO] Wait SSL_accept_nb: TIMEOUT TO COMPLETE
Jan  7 17:26:05 ASASFR3 SF-IMS[32353]: [32407] sftunneld:sf_ssl [ERROR] Accept:SSL handshake failed
Jan  7 17:26:05 ASASFR3 SF-IMS[32353]: [32407] sftunneld:sf_ssl [WARN] SSL Verification status: ok
Jan  7 17:26:06 ASASFR3 SF-IMS[32353]: [32408] sftunneld:sf_ssl [INFO] Wait SSL_connect_nb: TIMEOUT TO COMPLETE
Jan  7 17:26:06 ASASFR3 SF-IMS[32353]: [32408] sftunneld:sf_ssl [ERROR] Connect:SSL handshake failed
Jan  7 17:26:06 ASASFR3 SF-IMS[32353]: [32408] sftunneld:sf_ssl [WARN] SSL Verification status: ok
Jan  7 17:26:06 ASASFR3 SF-IMS[32353]: [32408] sftunneld:sf_ssl [INFO] reconnect to peer '192.168.2.20' in 300 seconds

 

From my laptop, I am able to run the command "telnet <sfr-ip-address> 8305" and it appears to connect just fine. But, I get a connection refused when trying the telnet command to the FMC. Is 8305 only used on the sensor?

> telnet 192.168.2.20 8305
Trying 192.168.2.20...
telnet: connect to address 192.168.2.20: Connection refused

Any thoughts would be greatly appreciated!

 

-Matt

0 Helpful

Sheraz.Salim
VIP
VIP
In response to Matthew Martin

‎01-07-2019 09:56 AM

Well its seem like its refusing the connect. your best bet is open a TAC case if you have a contract.

please do not forget to rate.
0 Helpful

Sheraz.Salim
VIP
VIP
In response to Matthew Martin

‎01-08-2019 08:58 AM

It could be your hard disk is faulty. As sound reading your description of the struggle with sfr.

please do not forget to rate.
0 Helpful

noufal.cdlm@gmail.com
Level 1
Level 1

‎01-07-2019 10:01 PM

Reimage SFR after re added to config-manger it will work

0 Helpful

Matthew Martin
Level 5
Level 5
In response to noufal.cdlm@gmail.com

‎01-16-2019 09:00 AM

Sorry, I thought I had replied to this thread already. Guess not...

I was able to re-image the SFR module on the SSD after getting the SSD re-seated in the ASA. But, I am still having the same issue with the logs showing SSL Handshake error. The strange thing is, according to the netstat command they are showing an Established connection on both ends.

-Matt
0 Helpful

Sheraz.Salim
VIP
VIP
In response to Matthew Martin

‎01-16-2019 09:12 AM

were you not able to open a TAC case?

please do not forget to rate.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card