Hi Marvin, I am now able to

swapnildongre89 · ‎06-10-2015

Hi All,

I have install sfr module (5.3.1-152) with ASA 5525 and below are the details: (sfr status is Up on firewall)

Firewall: inside interface- 10.23.1.1 255.255.255.248

SFR: ipv4 add- 10.23.1.5 255.255.255.248 gateway- 10.23.1.1

I can get into console though ASA only via "session sfr console" however I am not able to access/ping 10.23.1.5 locally and not even from the firewall. Also while adding device into Firesight manager it is showing the error attached to this message. "Could not establish a connection with sensor. Make sure the registration keys match, that the software versions are compatible, and that the network is not blocking the connection."

1. Registration keys are same on both devices

2. Firesight 5.4.0 and sfr 5.3.1

3. Both devices are behind inside interface

Also, I do not want to disturb the current ASA firewall traffic. Please advice on this.

Marvin Rhoads · ‎06-10-2015

The sfr module needs to use the physical management port m0/0 of the ASA for its external communications. It does not and cannot communicate out using any of the other ASA interfaces.

So in your case (seeing that you have sfr and inside on the same subnet), m0/0 should have an Ethernet connection to the same VLAN where your inside interface is connected.

shrinad146 · ‎06-11-2015

Hi Marvin,

So it that two different ip's one for management m0/0 as well as the other one i.e sfr management ip. ?? and

is there any need for the nat-id if i don't have the nat device in the traffic flow but the asa on which my SFR is installed has the nat statement for the Firesight Mgmt Server.??

Marvin Rhoads · ‎06-11-2015

The sfr module MUST be managed and connects to the FMC via the ASA m0/0 (except for 5585X which has a dedicated management port of the sfr SSP). The SFR module has its own default gateway distinct from the ASA and its routing setup.

You can optionally also use that same physical port for ASA management. If you elect to do so, it requires a unique IP address in the same subnet as they will both go into a switch port on a single VLAN.

When you elect to use the port for ASA management as well, the IP addresses must be on a subnet distinct from the ASA inside interface as the ASA itself only has a single routing table and cannot accommodate a scheme of having inside and management on the same subnet.

shrinad146 · ‎06-11-2015

Hi Marvin,

so we just need to make the management interface m0/0 up, connect it to the switch in the same vlan as that of the Inside interface ?? and no need to assign ip to the management interface?? because if we assign ip to the m0/0 in same subnet it is not possible to have two different interface in same subnet..

i.e we just need to make the m0/0 port up connect it to the switch and make it communicate in the same l2 vlan ?? Right ??

Please check the JPEG attached is it this the way you are suggesting ??

Marvin Rhoads · ‎06-11-2015

Yes that will work. Also you need to add 'no nameif' on the ASA m0/0.

You our actually can have an address on the ASA m0/0 and the SFP module in the same subnet - just not the same as the inside or any other interface think of the SFP module as a VM running in a hypervisor and the ASA as another separate VM The ASA dynamically loads both at boot time

shrinad146 · ‎06-14-2015

Hi Marvin,

One more query i had, Normally all the licenses are mac binded. But this is a new device for me so i just wanted to query that if we change the network setting of the vm on which the firesight was deployed, would it require the new installation of licenses or it would catch the old licenses installed ??

I think all the licenses are mac binded , but i just had a query is the vm license ip binded here for Fire sight deployed on vm ??

shrinad146 · ‎06-15-2015

Hi Marvin,

I am now able to communicate from firresight vm machine to source fire mgmt ip.

But unable to add the managed device in the firesight mgmt centre.

SFR version:5.3.1-152

Firesight version: 5.4.0-763

it is throwing back the same error.

swapnildongre89 · ‎06-16-2015

The issue is resolved now.

I checked on sfr module the connection was happening on port 443. I changed the management port to 8305 and the device is now successfully added to firesight. Thank you Marvin and Shrinad for your help.

> show netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 10.23.1.5:36596 10.23.0.137:443 TIME_WAIT
tcp 0 0 10.23.1.5:36597 10.23.0.137:443 TIME_WAIT

> show network
----------------------------------------------------
IPv4
Configuration : manual
Address : 10.23.1.5
Netmask : 255.255.255.248
Gateway : 10.23.1.3
MAC Address : A8:9D:21:92:B2:25
Management port : 443

Marvin Rhoads · ‎06-15-2015

The licenses are not IP bound. They are generated by Cisco using the FMC license key as a seed.

As long as you don't rebuild the FMC, the licenses for it and the devices / sensors it manages will reamin intact.

swapnildongre89 · ‎06-11-2015

HI Marvin,

Thank you for your prompt replies. I have tried configuring m0/0 interface of firewall however it has shown an error.

(config)# interface Management0/0

(config-if)# ip address 10.23.1.4 255.255.255.248 standby 10.23.1.6

ERROR: Failed to apply IP address to interface Management0/0, as the network overlaps with interface Redundant1. Two interfaces cannot be in the same subnet.

Whereas Redundant1 interface is an inside interface with ip address of 10.23.1.1 255.255.255.248

Let me tell you the current network setup now.

10.23.0.x (Firesight server) --> L3 switch (10.23.1.3) --> ASA (10.23.1.1) <--> sfr module (10.23.1.5)

I can ping 10.23.0.x from firewall and switch, but not sfr.

apatel2489 · ‎11-14-2017

Hi

i have same issue

did your issue resolved?

Please let me know how did you set it up?

Thanks

Ashish

ASA sfr module not reachable locally