It's 6.2.0-362, i can't download the -363 because it failed. (The -362 was on the download site)

No, the FTD never work on my appliance.

I did not because, i have to managed my ASA with Firepower Management Center after the initial installation.

I reimage the ASA with the boot image (.lfbff) and the ftd image (.pkg) myself.

What is your hardware model? You mentioned 55xx. The boot images are different for 5506/08/16 vs. other models. Assuming you are using one of the Kenton models which require the digitally-signed boot image (lfbff file) then you would be using the files listed here:

https://software.cisco.com/download/release.html?mdfid=286283326&flowid=77251&softwareid=286306337&release=6.1.0.3&relind=AVAILABLE&rellifecycle=&reltype=latest

That download site currently has ftd-boot-9.7.1.4.lfbff and ftd-6.2.0-363.pkg.

You would also have needed to check and possibly update your rommon to 1.1.8 per the re-image guide here:

http://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/reimage/asa-ftd-reimage.html#task_90917D0EBAC2427487F6F51D21ABC235

The rommon code can be found here:

https://software.cisco.com/download/release.html?mdfid=286283326&flowid=77251&softwareid=286287669&release=1.1.8&relind=AVAILABLE&rellifecycle=&reltype=latest

I use the Cisco ASA 5506-X.

Currently my installation used : 

- Cisco Systems ROMMON, Version  1.1.8

- Cisco FTD Boot 6.0.0 (9.7.1.4) 

- Cisco ASA5506-X Threat Defense (75) Version 6.2.0 (Build 363)

And i have always the same error "Application Failure"

OK, tht all seems good. I'm not sure what it might be.

One other thing (short of a TAC case - and I'm guessing you don't have Smartnet or you'd have opened one already) is to perhaps try it with a fresh browser session - use an InPrivate (Firefox) or Incognito (Chrome) window to eliminate any possible client side caching issues. 

Yes i have already clean my web browser (Firefox, Chrome, IE) but it does not work.

I have clean the configuration cache with the dos command "ipconfig /flushdns" too. 

I think i will open a TAC case.

Thank you

You're welcome.

Please update us with the outcome - I've not seen this issue before.

I can't explain why but it's works.

I have reboot the system and waited few minutes then i could accede to the Firepower Device Management page.

But now, i can't register my ASA5506-X in the Firepower Management Center.

I use 90 days evaluation on both of them.

• First, i assign an ip address to the management interface on the same network than my FMC with the Firepower Device Manager. (ping works)
• Secondly i configure the manager with de reg_key on the FTD with CLI.
• To finish with, on the FMC i add the device with the ip address, name, policy, key but it's not work.

When i make pigtail command on FTD, i have an error about sftunnel : 

MSGS: 05-04 11:52:41 ciscoasa SF-IMS[8964]: [18076] sftunneld:sf_ssl [INFO] Connect to 10.166.8.239 failed on port 8305 socket 12 (Connection refused)

Physicaly i'm directly connect with Gi1/2, and the M1/1 is connect with the network to comunnicate with the FMC.

If your have an idea with this problem, can you help me ?

Thank's in advance.

Hi Steve,

What is the Pigtail output on the FMC ?  I have seen in the past, even though the FMC and FTD is in the same subnet, adding NAT_ID after the key resolves the connectivity issue. This ID is  necessary only if there is a natting device between the FMC and FTD/Firepower, but i have come across scenarios, where adding NAT_ID helped.

Regards

Akhil 

Hello Akhil,

The pigtail on the FMC return : 

MSGS: 05-04 12:25:37 fmc-axians SF-IMS[4611]: [18097] sftunneld:sf_ssl [ERROR] Unable to connect to port 8305 (IPv4): Operation now in progress
MSGS: 05-04 12:25:37 fmc-axians SF-IMS[4611]: [18097] sftunneld:sf_ssl [INFO] No IPv4 connection to 10.166.8.238
MSGS: 05-04 12:25:37 fmc-axians SF-IMS[4611]: [18097] sftunneld:sf_ssl [WARN] Unable to connect to peer '10.166.8.238'
MSGS: 05-04 12:25:37 fmc-axians SF-IMS[4611]: [18097] sftunneld:sf_ssl [INFO] reconnect to peer '10.166.8.238' in 0 seconds

I had a NAT_ID when i register my FTD in FMC but the error still the same (as you can see in attachment)

Regards

If you have configured your FTD sensor for local management (FDM) then you cannot also use FirePOWER Management Center (FMC). You must choose one or the other.

"show managers" should tell you which is setup on your device.

http://www.cisco.com/c/en/us/td/docs/security/firepower/610/fdm/fptd-fdm-config-guide-610/fptd-fdm-mgmt.html#id_16122

If a remote (FMC) manager is configured then the sensor should have tcp/8305 open and listening. You can check for it from expert mode using netstat.

There have been some issues with sftunnel over the years. You can restart it using "manage_procs.pl" script in expert mode as decribed here:

http://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200868-Configuring-Firepower-Threat-Defense-FT.html

You can also check it with the (non-expert mode) command "sftunnel-status".

http://www.cisco.com/c/en/us/td/docs/security/firepower/command_ref/b_Command_Reference_for_Firepower_Threat_Defense/s_1.html#wp3511747780

Now it works i fixed the problem.

I try to restart the sftunnel with the perl script like you saided but when i restart it i encountered an other error message like : "You can not be authenticate by the FTD or the FMC".

So i search the error and it would be that the sftunnel.conf was corrupt so i replaced the configuration and after about 15 min, the register works. 

See the attachment.

Thank you for your help,