05-02-2017 06:29 AM - edited 03-12-2019 02:18 AM
Hello,
I have installed the ftd-6.2.0-362.pkg image on my Cisco ASA 55xx-X.
First of all, i would like to manage my device with the Firepower Device Management but when i access in https://192.168.1.1, i have the message Application Failure.
I reimage the Cisco ASA but always the same message.
If someone can help me.
Thank's in advance.
05-02-2017 08:46 AM
Is it 6.2.0-362 or -363? The 362 build is not on the download site.
Did FTD ever work on your appliance? Did you reimage from ASA software? Did you perform the bootstrapping yourself?
05-03-2017 12:09 AM
It's 6.2.0-362, i can't download the -363 because it failed. (The -362 was on the download site)
No, the FTD never work on my appliance.
I did not because, i have to managed my ASA with Firepower Management Center after the initial installation.
I reimage the ASA with the boot image (.lfbff) and the ftd image (.pkg) myself.
05-03-2017 02:23 AM
What is your hardware model? You mentioned 55xx. The boot images are different for 5506/08/16 vs. other models. Assuming you are using one of the Kenton models which require the digitally-signed boot image (lfbff file) then you would be using the files listed here:
https://software.cisco.com/download/release.html?mdfid=286283326&flowid=77251&softwareid=286306337&release=6.1.0.3&relind=AVAILABLE&rellifecycle=&reltype=latest
That download site currently has ftd-boot-9.7.1.4.lfbff and ftd-6.2.0-363.pkg.
You would also have needed to check and possibly update your rommon to 1.1.8 per the re-image guide here:
http://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/reimage/asa-ftd-reimage.html#task_90917D0EBAC2427487F6F51D21ABC235
The rommon code can be found here:
https://software.cisco.com/download/release.html?mdfid=286283326&flowid=77251&softwareid=286287669&release=1.1.8&relind=AVAILABLE&rellifecycle=&reltype=latest
05-03-2017 05:31 AM
I use the Cisco ASA 5506-X.
Currently my installation used :
- Cisco Systems ROMMON, Version 1.1.8
- Cisco FTD Boot 6.0.0 (9.7.1.4)
- Cisco ASA5506-X Threat Defense (75) Version 6.2.0 (Build 363)
And i have always the same error "Application Failure"
05-03-2017 07:29 AM
OK, tht all seems good. I'm not sure what it might be.
One other thing (short of a TAC case - and I'm guessing you don't have Smartnet or you'd have opened one already) is to perhaps try it with a fresh browser session - use an InPrivate (Firefox) or Incognito (Chrome) window to eliminate any possible client side caching issues.
05-03-2017 07:39 AM
Yes i have already clean my web browser (Firefox, Chrome, IE) but it does not work.
I have clean the configuration cache with the dos command "ipconfig /flushdns" too.
I think i will open a TAC case.
Thank you
05-03-2017 07:41 AM
You're welcome.
Please update us with the outcome - I've not seen this issue before.
05-04-2017 05:04 AM
I can't explain why but it's works.
I have reboot the system and waited few minutes then i could accede to the Firepower Device Management page.
But now, i can't register my ASA5506-X in the Firepower Management Center.
I use 90 days evaluation on both of them.
When i make pigtail command on FTD, i have an error about sftunnel :
MSGS: 05-04 11:52:41 ciscoasa SF-IMS[8964]: [18076] sftunneld:sf_ssl [INFO] Connect to 10.166.8.239 failed on port 8305 socket 12 (Connection refused)
Physicaly i'm directly connect with Gi1/2, and the M1/1 is connect with the network to comunnicate with the FMC.
If your have an idea with this problem, can you help me ?
Thank's in advance.
05-04-2017 05:17 AM
Hi Steve,
What is the Pigtail output on the FMC ? I have seen in the past, even though the FMC and FTD is in the same subnet, adding NAT_ID after the key resolves the connectivity issue. This ID is necessary only if there is a natting device between the FMC and FTD/Firepower, but i have come across scenarios, where adding NAT_ID helped.
Regards
Akhil
05-04-2017 05:33 AM
Hello Akhil,
The pigtail on the FMC return :
MSGS: 05-04 12:25:37 fmc-axians SF-IMS[4611]: [18097] sftunneld:sf_ssl [ERROR] Unable to connect to port 8305 (IPv4): Operation now in progress
MSGS: 05-04 12:25:37 fmc-axians SF-IMS[4611]: [18097] sftunneld:sf_ssl [INFO] No IPv4 connection to 10.166.8.238
MSGS: 05-04 12:25:37 fmc-axians SF-IMS[4611]: [18097] sftunneld:sf_ssl [WARN] Unable to connect to peer '10.166.8.238'
MSGS: 05-04 12:25:37 fmc-axians SF-IMS[4611]: [18097] sftunneld:sf_ssl [INFO] reconnect to peer '10.166.8.238' in 0 seconds
I had a NAT_ID when i register my FTD in FMC but the error still the same (as you can see in attachment)
Regards
05-04-2017 06:36 AM
If you have configured your FTD sensor for local management (FDM) then you cannot also use FirePOWER Management Center (FMC). You must choose one or the other.
"show managers" should tell you which is setup on your device.
http://www.cisco.com/c/en/us/td/docs/security/firepower/610/fdm/fptd-fdm-config-guide-610/fptd-fdm-mgmt.html#id_16122
If a remote (FMC) manager is configured then the sensor should have tcp/8305 open and listening. You can check for it from expert mode using netstat.
There have been some issues with sftunnel over the years. You can restart it using "manage_procs.pl" script in expert mode as decribed here:
http://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200868-Configuring-Firepower-Threat-Defense-FT.html
You can also check it with the (non-expert mode) command "sftunnel-status".
http://www.cisco.com/c/en/us/td/docs/security/firepower/command_ref/b_Command_Reference_for_Firepower_Threat_Defense/s_1.html#wp3511747780
05-15-2017 01:50 AM
Now it works i fixed the problem.
I try to restart the sftunnel with the perl script like you saided but when i restart it i encountered an other error message like : "You can not be authenticate by the FTD or the FMC".
So i search the error and it would be that the sftunnel.conf was corrupt so i replaced the configuration and after about 15 min, the register works.
See the attachment.
Thank you for your help,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide