Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4034
Views
0
Helpful
8
Replies

Can't Access FCM after re-imaging and initial setup

Go to solution
DerekLazarus78183
Level 1
Level 1

‎04-07-2022 08:17 AM - edited ‎04-07-2022 08:47 AM

So I have a FPR-4110 that set on the shelf for about 2 years. It needs to go in production so I go to configure it and input all the correct info as far as ip address for management, netmask, dns, domain, etc. I go to access the FCM via https and it comes up and just freezes. So after opening a TAC case and verifying I was doing everything correctly it was recommended that I re-image the Firepower. So going that route I complete the re-image upgrading the FX-OS firmware with the latest and greatest. I go through the initial config all over again and now still no access to FCM even though I can ping the mgmt interface and setup ssh which I can access but for whatever reason https access is a no go. I go to my browser and input the ip for the FCM and nothing. Any thoughts the TAC case is still open but thought I'd get some extra input as well

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to DerekLazarus78183

‎04-07-2022 09:52 AM

Sorry I gave the link to the GUI for setting the ACL. It is also configurable via cli. Please see the following:

https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/2111/cli-guide/b_CLI_ConfigGuide_FXOS_2111/platform_settings.html#id_30486

Configure the IP Access List

By default, the Firepower 4100/9300 chassis denies all access to the local web server. You must configure your IP Access List with a list of allowed services for each of your IP blocks.

The IP Access List supports the following protocols:

  • HTTPS

  • SNMP

  • SSH

For each block of IP addresses (v4 or v6), up to 100 different subnets can be configured for each service. A subnet of 0 and a prefix of 0 allows unrestricted access to a service.

Procedure

Step 1

From the FXOS CLI, enter the services mode:

scope system

scope services

Step 2

Create an IP block for the services you want to enable access for:

For IPv4:

create ip-block ip prefix [0-32] [http | snmp | ssh]

 

Be sure to "commit-buffer" after configuring it.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Rob Ingram
VIP
VIP

‎04-07-2022 08:51 AM

@DerekLazarus78183 have you tried a different web browser? Is the traffic going through a proxy server, if so perhaps disable and so if that was causing the issue.

0 Helpful

Go to solution
DerekLazarus78183
Level 1
Level 1
In response to Rob Ingram

‎04-07-2022 09:06 AM

I  have given every browser a try IE, Chrome, Firefox, Edge, and nothing. I am going through a firewall but I know that is not the problem due to being able to access it before. There isn't a proxy server involved either so I'm stomped to what the issue can be.

0 Helpful

Go to solution
DerekLazarus78183
Level 1
Level 1
In response to Marvin Rhoads

‎04-07-2022 09:40 AM

Thanks I went ahead and skimmed through the document. The access-list is only accessible through the GUI which is what I can't get to. So I went to check if https is enabled in the FXOS even though I was sure I did it in initial configuration and it is enabled for port 443 in so I am still stomped as to what the issue is.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to DerekLazarus78183

‎04-07-2022 09:52 AM

Sorry I gave the link to the GUI for setting the ACL. It is also configurable via cli. Please see the following:

https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/2111/cli-guide/b_CLI_ConfigGuide_FXOS_2111/platform_settings.html#id_30486

Configure the IP Access List

By default, the Firepower 4100/9300 chassis denies all access to the local web server. You must configure your IP Access List with a list of allowed services for each of your IP blocks.

The IP Access List supports the following protocols:

  • HTTPS

  • SNMP

  • SSH

For each block of IP addresses (v4 or v6), up to 100 different subnets can be configured for each service. A subnet of 0 and a prefix of 0 allows unrestricted access to a service.

Procedure

Step 1

From the FXOS CLI, enter the services mode:

scope system

scope services

Step 2

Create an IP block for the services you want to enable access for:

For IPv4:

create ip-block ip prefix [0-32] [http | snmp | ssh]

 

Be sure to "commit-buffer" after configuring it.

0 Helpful

Go to solution
DerekLazarus78183
Level 1
Level 1
In response to Marvin Rhoads

‎04-07-2022 10:44 AM

So I gave that a try still a no go.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to DerekLazarus78183

‎04-07-2022 11:00 AM

That's odd. Can you share the output of:

firepower /system/services # show ip-block

 

0 Helpful

Go to solution
DerekLazarus78183
Level 1
Level 1
In response to Marvin Rhoads

‎04-07-2022 12:31 PM

No need good sir just had to give things time to gel I guess I now have access to the Firepower Chassis Manager. Many thanks!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card