Thanks John, that sounds promising and I will try it. I am not an savvy network engineer. The switch is 172.21.4.6, should this be the gateway address for the FirePOWER module?

In all the examples I have seen, the FirePOWER address has always been 192.168.1.2/24 with the gateway 192.168.1.1. 

Can I put the FirePOWER interface on the Management network, 172.21.4.0, and if so, what else may be needed (add route, etc)?

FIRST I ran a cable from Gi1/2 to a management network switch. Nothing changed.

NEXT I tried reconfiguring the FirePOWER module to use the management network switch as the gateway, "configure network ipv4 manual 192.168.10.2 255.255.255.0 172.21.4.6 eth0". I received an error along the lines of "Management IP Address is not within the same subnet as the Gateway, please re-enter." So that was no bueno.

THEN, I completely changed the FirePOWER module network configuration again using the switch address as the gateway: "configure network ipv4 manual 172.21.4.184 255.255.255.0 172.21.4.6 eth0".  I got "Setting IPv4 network configuration.  Network settings changed."  There was an improvement. I can ping and https172.21.4.184. I started ASDM but it was still hinky. I got a message like "ASDM did not get a response form the ASA in the last 60 seconds". Also, I now have two additional FirePOWER tabs that I did not have before: "ASA FirePOWER Dashboard" and "ASA FirePOWER Reporting".

Finally, I changed the FirePOWER module network configuration again using the management address of the firewall as the gateway: "configure network ipv4 manual 172.21.4.184 255.255.255.0 172.21.4.185 eth0".  I again got "Setting IPv4 network configuration.  Network settings changed."

I think the last command is correct but I still have the same results. I have seen that it may take some time for things to sync so I will let this sit overnight and check it in the morning.

Hi,

1.) You do not need to change the management interface.

2.) There is no relationship between your Inside interface and the Firepower module. They can be on different networks. The examples in the  docs are just for convenience.

You can put the firepower module on your management network but you need to put the gateway of the management network. E.g your management network is 172.21.4.0/24, the gateway for the management network is 172.21.4.254, the switch is 172.21.4.6 and the management vlan is vlan 4

You would configure the following:

• configure a port on the switch for vlan 4
• connect firewall's management port to the port on the switch in vlan 4. The management port on the AS5508 is the port above the Console port.
• Assign the Firepower module an ip address "configure network ipv4 manual 172.21.4.184 255.255.255.0 172.21.4.254"
• From you PC you should be able to ping the switch 172.21.4.6 and the firepower module 172.21.4.184. If you can ping the firepower module, try ASDM

Thanks

John

This morning I still have the same problem even after reloading the ASA, "ASDM did not get a response from the ASA in the last 60 seconds", I also noticed that the Configuration Tab in ASDM is disabled.

The FirePOWER module is still configured as 172.21.4.184/24 and the gateway address is 172.21.4.185.

GigabitEthernet1/2, the Management port, and the ASDM host are connected to the same switch. All ports on this switch are in the same VLAN (I configured the switch). I can ping GigabitEthernet1/2,Management1/1, and the switch from the PC.

I do not have a gateway. I understand a gateway is a router that connects one network to another. This is an industrial control system (ICS) network with no internet access by design and is isolated as it runs out plant processes.

Hi,

What is the ip address of your PC?

The gateway address of the firepower module cannot be the management interface. The gateway for the firepower module should be an interface on your switch 172.21.4.6. You should then be able to ping the switch, management interface , and firepower module.

You can get into the firepower module from the asa using the following command " session sfr console"

Thanks

John

Let me start by saying nothing has changed since my 2/24 post. I think the problem is with ASDM and/or Microsoft Networking based on what I observed this morning.

Previously I was working from a Windows Server 2016 at 172.21.4.22. I am still getting two errors when logging in from the W2K16  server: "ASDM was unable to load the firewall configuration. Please check connectivity to the device or try again later." and "ASDM did not get a response from the ASA in the last 60 seconds. Please check the configuration and your connection and then try again by clicking refresh."

This morning I logged in to ASDM from a Win 10 thin client at 172.21.4.241 and everything is working! I get no errors logging in and I can interact with all the FirePOWER tabs, including the ASA FirePOWER Configuration tab. 

The W2K16 server has multiple network interfaces, the Win10 thin client has 1. The server has an ISCSI interface (192.168.1.1/255.255.255.248) directly connected to a QNAP NAS at 192.168.1.2 and I think that is confusing ASDM. This is also part of the reason I changed the default address range of the ASA from 192.168.1.0. 

Yes, I can get into the FirePOWER module from the ASA using the command "session sfr console".

Clearly gateway address of the FirePOWER module CAN be the management interface as "configure network ipv4 manual 172.21.4.184 255.255.255.0 172.21.4.185 eth0" still applies.

Thanks,

Vint