Hi Aditya

zulqurnain · ‎03-15-2016

Hi

I have been trying to get our new 5506-X firewalls configured with FirePower but it seems something is not happening right , whenever I try to add the device into FirePower Management Center which is as following version

Software Version	6.0.0 (build 1005)
OS	Cisco Fire Linux OS 6.0.0 (build258)
Snort Version	2.9.8 GRE (Build 229)

with FirePower which is as following version

Model : ASA5506 (72) Version 5.4.1 (Build 211)

I get a message in management center as following

"Could not establish a connection with sensor. Make sure the registration keys match, that the software versions are compatible, and that the network is not blocking the connection."

I have been searching around but I have not been able to grap the main reason behind it as multiple scenario and answers are provided in different posts.

Any help would be appreciated.

Aditya Ganjoo · ‎03-15-2016

Hi,

We need to check the status of sftunnel.conf file.

Can you please check if the FirePower module is able to telnet to the FireSight on port 8305 and vice versa.

Also please check if the status of sftunnel is up on both devices by running :

pmtool status | grep sftunnel

This happens due to some issue with sftunnel.conf file. You can follow instructions mentioned in the following document.

https://supportforums.cisco.com/discussion/12310476/fail-register-sfr-module

If it does not help please open a TAC case.

Regards,

Aditya

Please rate helpful posts.

zulqurnain · ‎03-15-2016

Hi Aditya

you said telnet , my FW doesn't have telnet enabled it's only SSH. Do I need to enable Telnet ?

Aditya Ganjoo · ‎03-15-2016

Hi,

You need to telnet from the FirePower module to the FireSight on port 8305 and vice versa.

Regards,

Aditya

zulqurnain · ‎03-16-2016

alright so I logged in to FirePower Module and entered into expert mode and did a telnet to FireSight using port 8305 and vice versa and I am getting 'connection refused'

How do i go about opening these ports on each side ?

Thanks

zulqurnain · ‎03-16-2016

they can ping each other and on FireSight under Configuration > Management Interface > Remote Management Port is defined 8305

and on FireModule Management Port 8305 is configured as well.

zulqurnain · ‎03-16-2016

I followed the steps in the thread below but in vain

https://supportforums.cisco.com/discussion/12310476/fail-register-sfr-module

zulqurnain · ‎03-21-2016

Hi

I just wanted to give my input as I was able to get it working.

At least that is what I think was happening , my FireSight version was 6.0.0 where as my ASA FirePower version was 5.4 . I simple upgraded the ASA side to 6.0.0 and it worked just fine.

Thanks everyone for supporting it.

Marvin Rhoads · ‎03-15-2016

To clarify what Aditya mentioned - the FirePOWER module (not the ASA itself) initiates the telnet session. It does so from it's own OS (Linux). The ASA itself need neither initiate or respond to telnet.

You specify for it to use tcp/8305 to mimic the module-FirePOWER Management Center communications.

FirePower on ASA 5506