Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1187
Views
0
Helpful
5
Replies

FTDv 6.3 Management Address Inconsistency

JON SHORTEN
Level 1
Level 1

‎01-14-2019 07:54 AM - edited ‎03-12-2019 04:19 AM

I've just tried to run up an instance of FTDv in a lab environment for testing prior to using on a customer site, the setup script allows me to manually configure a management address as usual, but this doesn't seem to be being applied correctly.

 

If I use "show network", I see the correctly configured IPv4 address on the inside (g0/1) interface (192.168.179.254 in my lab), but if I use "show IP" I see 192.168.45.1 on the same interface.  Attempts to ping the gateway result in "no route to host", unless I drop into a shell, when the gateway becomes reachable.

 

I've tried setting the address with "configure network ipv4 manual" which makes no difference; nor does reloading or re-installing.

 

Wondering if anyone else has seen this behavior, & if so how it was resolved.

 

Command output below:

 

> show ip
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
GigabitEthernet0/0       outside                unassigned      unassigned      DHCP
GigabitEthernet0/1       inside                 192.168.45.1    255.255.255.0   CONFIG
Current IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
GigabitEthernet0/0       outside                unassigned      unassigned      DHCP
GigabitEthernet0/1       inside                 192.168.45.1    255.255.255.0   CONFIG
> show network
===============[ System Information ]===============
Hostname                  : firepower
DNS Servers               : 208.67.222.222
                            208.67.220.220
Management port           : 8305
IPv4 Default route
  Gateway                 : 192.168.179.1

======================[ br1 ]=======================
State                     : Enabled
Channels                  : Management & Events
Mode                      : Non-Autonegotiation
MDI/MDIX                  : Auto/MDIX
MTU                       : 1500
MAC Address               : 0C:A2:4E:81:36:01
----------------------[ IPv4 ]----------------------
Configuration             : Manual
Address                   : 192.168.179.254
Netmask                   : 255.255.255.0
Broadcast                 : 192.168.179.255
----------------------[ IPv6 ]----------------------
Configuration             : Disabled

===============[ Proxy Information ]================
State                     : Disabled
Authentication            : Disabled

>

Labels:
0 Helpful
5 Replies 5

Mohammed al Baqari
Level 11
Level 11

‎01-14-2019 09:34 AM

I think you need to differentiate management interface from other
interfaces in FTD.

The management interface is complete isolated in FTD (unlike ASA) and runs
in separate plane. There are typologies to connect management interface to
inside interface and use FTD as gateway for management.

If you want to ping the management gateway, you need to try ping system
x.x.x.x. This will work but ping alone will use dataplane not management
plane.


**** Please remember to rate useful posts
0 Helpful

MajidShirzadeh
Level 1
Level 1

‎01-14-2019 02:13 PM

If you are referring to FMC MGMT interface, all you need is to configure one IP address for MGMT, which will be use to register FTD to FMC, I would make sure FMC MGMT interface and FTD MGMT interface are in a same network.

0 Helpful

JON SHORTEN
Level 1
Level 1

‎01-15-2019 02:30 AM

SOLVED: This turns out to be a lab issue, the interface numbering is inconsistent between the hypervisor & the FTDv. Once I realised this & changed the vnic assignment I have connectivity

For anyone else investigating something similar, from a default install my interface mapping was:
vnic 1 -> g0/1
vnic2 -> management
vnic 3 -> g0/0

Although this is very probably unique to our current lab.

I still
0 Helpful

Ramachary
Cisco Employee
Cisco Employee
In response to JON SHORTEN

‎01-22-2019 11:14 PM

Issue: During Image Install step of Software Image Upgrade Process, the FMC issues reboot to vFTD... and vFTD thereby becomes inaccessible due to br1 mac address changing to it's original value:

 

The vFTD is created in vSphere
1. After VM is created with vSphere Client for vFTD, it shows different mac addresses for br1 & NA-1 interfaces.
2. Only when br1 mac address is changed (from Console of VM/vFTD) to Network Adapter-1 mac address of the vFTD(shown in Virtual Machine Properties box) , vFTD gets accessed from FMC.
3. Upon reboot of the vFTD, the br1 gets back to it's original mac address instead of retaining the value of changed mac address(Network Adapter-1).
4. It then becomes necessary to change the br1 mac address to Network Adapter-1 mac address of the vFTD, manually through Console, to make it accessible from FMC.

 

How can this problem be corrected !

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to JON SHORTEN

‎01-22-2019 11:59 PM

Also, you "ping system <IP>" vs. "ping <IP>" when initiating traffic from the FTD mgmt interface. Otherwise it will try to use the data interface (which one is according to the appliance's routing table).

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card