04-07-2022 08:17 AM - edited 04-07-2022 08:47 AM
So I have a FPR-4110 that set on the shelf for about 2 years. It needs to go in production so I go to configure it and input all the correct info as far as ip address for management, netmask, dns, domain, etc. I go to access the FCM via https and it comes up and just freezes. So after opening a TAC case and verifying I was doing everything correctly it was recommended that I re-image the Firepower. So going that route I complete the re-image upgrading the FX-OS firmware with the latest and greatest. I go through the initial config all over again and now still no access to FCM even though I can ping the mgmt interface and setup ssh which I can access but for whatever reason https access is a no go. I go to my browser and input the ip for the FCM and nothing. Any thoughts the TAC case is still open but thought I'd get some extra input as well
Solved! Go to Solution.
04-07-2022 09:52 AM
Sorry I gave the link to the GUI for setting the ACL. It is also configurable via cli. Please see the following:
By default, the Firepower 4100/9300 chassis denies all access to the local web server. You must configure your IP Access List with a list of allowed services for each of your IP blocks.
The IP Access List supports the following protocols:
HTTPS
SNMP
SSH
For each block of IP addresses (v4 or v6), up to 100 different subnets can be configured for each service. A subnet of 0 and a prefix of 0 allows unrestricted access to a service.
Step 1 |
From the FXOS CLI, enter the services mode: scope system scope services |
Step 2 |
Create an IP block for the services you want to enable access for: create ip-block ip prefix [0-32] [http | snmp | ssh] |
Be sure to "commit-buffer" after configuring it.
04-07-2022 08:51 AM
@DerekLazarus78183 have you tried a different web browser? Is the traffic going through a proxy server, if so perhaps disable and so if that was causing the issue.
04-07-2022 09:06 AM
I have given every browser a try IE, Chrome, Firefox, Edge, and nothing. I am going through a firewall but I know that is not the problem due to being able to access it before. There isn't a proxy server involved either so I'm stomped to what the issue can be.
04-07-2022 09:15 AM
There is an https access-list in the FXOS configuration that can cause this.
04-07-2022 09:40 AM
Thanks I went ahead and skimmed through the document. The access-list is only accessible through the GUI which is what I can't get to. So I went to check if https is enabled in the FXOS even though I was sure I did it in initial configuration and it is enabled for port 443 in so I am still stomped as to what the issue is.
04-07-2022 09:52 AM
Sorry I gave the link to the GUI for setting the ACL. It is also configurable via cli. Please see the following:
By default, the Firepower 4100/9300 chassis denies all access to the local web server. You must configure your IP Access List with a list of allowed services for each of your IP blocks.
The IP Access List supports the following protocols:
HTTPS
SNMP
SSH
For each block of IP addresses (v4 or v6), up to 100 different subnets can be configured for each service. A subnet of 0 and a prefix of 0 allows unrestricted access to a service.
Step 1 |
From the FXOS CLI, enter the services mode: scope system scope services |
Step 2 |
Create an IP block for the services you want to enable access for: create ip-block ip prefix [0-32] [http | snmp | ssh] |
Be sure to "commit-buffer" after configuring it.
04-07-2022 10:44 AM
So I gave that a try still a no go.
04-07-2022 11:00 AM
That's odd. Can you share the output of:
firepower /system/services # show ip-block
04-07-2022 12:31 PM
No need good sir just had to give things time to gel I guess I now have access to the Firepower Chassis Manager. Many thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide