Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2560
Views
0
Helpful
8
Replies

Can't change Management Interface FPR 2130

Go to solution
korkomando
Level 1
Level 1

‎01-17-2023 12:54 PM

We have a couple FPR-2130s and FPR-2110s. We would like to change our default/dedicated management port to be one of our inside/data ports for simplicity's sake (Management1/1 -> Gig1/2). According to Cisco, you can do this via the CLI or FMC gui, but through both methods, the option is missing. 

Here's the documentation I'm following. Note: This is the FMC 6.7 guide but the same directions for changing MGMT to Data interface is present in the 7.3 guide, albeit the GUI directions are missing (or I can't find them).

Via CLI: Login and use command "configure network management-data-interface". This command is completely missing from our CLI

Via GUI: Navigate to Device Management > click the link for FMC Access Interface. This "FMC Access Interface" link is missing from our GUI.

We are running the most recent versions, I believe it is 7.3 on FMC and 7.0.4 for our FPRs (I will have to verify this, we downloaded whatever Cisco gave us via FMC update manager). We have disabled local management when connecting to our FPRs to FMC. 

If anyone can give me insight, if I'm missing some sort of software version or license, it would be greatly appreciated.

Thanks,

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to korkomando

‎01-19-2023 09:22 AM

You can make this change as long as your Firepower release is 6.7 or higher. Can you verify your version of FMC and FTD, preferably with screen shot to confirm.

You need to make changes in the Interface, Manager access tab and well as in the Device (Management widget), both in FMC.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Karsten Iwen
VIP
VIP

‎01-17-2023 01:19 PM

Could it be that you run your FTDs in HA? In this scenario it’s not possible to use the data interface.

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎01-17-2023 01:25 PM

I am running 7.0.4 FMC and FTD - i can see we can setup Management only as below : (right now i am using outside interface - this is example screenshot) - or am i missing something here ?

 

balajibandi_0-1673990710339.pngbalajibandi_1-1673990750311.png

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
korkomando
Level 1
Level 1

‎01-17-2023 02:00 PM

@Karsten Iwen No, we have plans on using HA in the future but at the moment it is not configured on any devices. 

@balaji.bandi On our end, the "Management Only" checkbox is greyed out on our 2110s and 2130s. Additionally, we don't see the "FMC Access" tab. 

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to korkomando

‎01-17-2023 02:41 PM

My Setup is Virtual since you are using Physical tin, check  Firepower chassis (FXOS)

https://www.cisco.com/c/en/us/td/docs/security/asa/fxos/config/asa-2100-fxos-config/intro.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
korkomando
Level 1
Level 1
In response to balaji.bandi

‎01-19-2023 08:36 AM

To clarify, we have FMC running on a virtual machine and our Firewalls are physical. If I understand this documentation correctly, I can choose to run the Firewalls with an ASA operating system or run them with our current Threat Defense operating system. Considering that we spent a lot of money on FMC and Threat Defense licenses, I would like to find a solution where I can continue to use Threat Defense. Please correct me if I'm wrong. 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to korkomando

‎01-19-2023 09:22 AM

You can make this change as long as your Firepower release is 6.7 or higher. Can you verify your version of FMC and FTD, preferably with screen shot to confirm.

You need to make changes in the Interface, Manager access tab and well as in the Device (Management widget), both in FMC.

0 Helpful

Go to solution
korkomando
Level 1
Level 1
In response to Marvin Rhoads

‎02-15-2023 11:44 AM

Sorry for the late response; this was our solution. I was under the incorrect assumption that FMC will update FPRs to the most recent version release. However, from what I read on your replies on other threads, it doesn't update past a major version release (we were stuck on 6.5) and that it would need to be manually staged.

To add to my confusion, I couldn't track down any cisco documentation stating that you needed 6.7 or above to make this change, I could only find documentation stating how to perform the configuration change on the 6.7 version documentation.

Thanks for the expedient responses. The issue is fixed and I learned a valuable lesson in making assumptions. 

0 Helpful

Go to solution
korkomando
Level 1
Level 1
In response to Marvin Rhoads

‎03-22-2023 09:28 AM

Marvin,

Not sure if this should be a new post but I'll write it here:

I'm facing a new issue where only one of the 2130s is using the it's newly assigned data-interface for management traffic. After switching everything over I kept the management port connection plugged in as it was a hassle to physically reach them. Later on when I was configuring a site-to-site VPN I was encountering a problem where traffic couldn't get across despite packet tracer and the 2130's CLI output both stating that the tunnel was up/active. 

This led me to finally unplugging the management port connection during troubleshooting and I noticed that 3 out of the 4 (two separate tunnels, not HA) become unreachable when the management port is unplugged despite seeing link lights active.

After combing through the troubleshooting files I noticed a difference between the one working and the 3 that don't:

Working 2130 output:

Output of /usr/local/sf/bin/sfcli.pl show network:

===============[ System Information ]===============
Hostname                  : SiteA-FTD1
DNS Servers               : 192.168.1.100
                            192.169.1.100
DNS from router           : disabled
Management port           : 8305
IPv4 Default route
  Gateway                 : 192.168.200.1
  Netmask                 : 0.0.0.0


==================[ management0 ]===================
State                     : Enabled
Link                      : Up
Channels                  : Management & Events
Mode                      : Non-Autonegotiation 
MDI/MDIX                  : Auto/MDIX 
MTU                       : 1500
MAC Address               :  x:A5:00
----------------------[ IPv4 ]----------------------
Configuration             : Manual
Address                   : 192.168.200.3
Netmask                   : 255.255.255.0
Gateway                   : 192.168.200.1
----------------------[ IPv6 ]----------------------
Configuration             : Disabled

===============[ Proxy Information ]================
State                     : Disabled
Authentication            : Disabled

======[ System Information - Data Interfaces ]======
DNS Servers               : 
Interfaces                : Ethernet1/2

==================[ Ethernet1/2 ]===================
State                     : Enabled
Link                      : Up
Name                      : Internal1
MTU                       : 1500
MAC Address               : x:A5:25
----------------------[ IPv4 ]----------------------
Configuration             : Manual
Address                   : 192.168.200.5
Netmask                   : 255.255.255.0
----------------------[ IPv6 ]----------------------
Configuration             : Disabled

Non working 2130s:

Output of /usr/local/sf/bin/sfcli.pl show network:

===============[ System Information ]===============
Hostname                  : SiteA-FTD2
DNS Servers               : 192.168.1.100
                            192.169.1.100
DNS from router           : disabled
Management port           : 8305
IPv4 Default route
  Gateway                 : 192.168.200.1
  Netmask                 : 0.0.0.0


==================[ management0 ]===================
State                     : Enabled
Link                      : Up
Channels                  : Management & Events
Mode                      : Non-Autonegotiation 
MDI/MDIX                  : Auto/MDIX 
MTU                       : 1500
MAC Address               : x:17:80
----------------------[ IPv4 ]----------------------
Configuration             : Manual
Address                   : 192.168.200.4
Netmask                   : 255.255.255.0
Gateway                   : 192.168.200.1
----------------------[ IPv6 ]----------------------
Configuration             : Disabled

===============[ Proxy Information ]================
State                     : Disabled
Authentication            : Disabled

======[ System Information - Data Interfaces ]======
DNS Servers               : 
Interfaces                : Ethernet1/2

==================[ Ethernet1/2 ]===================
State                     : Enabled
Link                      : Up
Name                      : Internal1
MTU                       : 1500
MAC Address               : x:17:A5
----------------------[ IPv4 ]----------------------
Configuration             : Manual
Address                   : 192.168.200.4
Netmask                   : 255.255.255.0
----------------------[ IPv6 ]----------------------
Configuration             : Disabled


Output of /usr/local/sf/bin/sfcli.pl show network:

===============[ System Information ]===============
Hostname                  : SiteB-FTD1
DNS Servers               : 192.168.1.100
                            192.169.1.100
DNS from router           : disabled
Management port           : 8305
IPv4 Default route
  Gateway                 : 192.169.200.1
  Netmask                 : 0.0.0.0


==================[ management0 ]===================
State                     : Enabled
Link                      : Up
Channels                  : Management & Events
Mode                      : Non-Autonegotiation 
MDI/MDIX                  : Auto/MDIX 
MTU                       : 1500
MAC Address               : x:41:80
----------------------[ IPv4 ]----------------------
Configuration             : Manual
Address                   : 192.169.200.5
Netmask                   : 255.255.255.0
Gateway                   : 192.169.200.1
----------------------[ IPv6 ]----------------------
Configuration             : Disabled

===============[ Proxy Information ]================
State                     : Disabled
Authentication            : Disabled

======[ System Information - Data Interfaces ]======
DNS Servers               : 
Interfaces                : Ethernet1/2

==================[ Ethernet1/2 ]===================
State                     : Enabled
Link                      : Up
Name                      : Internal1
MTU                       : 1500
MAC Address               : x:41:A5
----------------------[ IPv4 ]----------------------
Configuration             : Manual
Address                   : 192.169.200.5
Netmask                   : 255.255.255.0
----------------------[ IPv6 ]----------------------
Configuration             : Disabled


Output of /usr/local/sf/bin/sfcli.pl show network:

===============[ System Information ]===============
Hostname                  : SiteB-FTD2
DNS Servers               : 192.168.1.100
                            192.169.1.100
DNS from router           : disabled
Management port           : 8305
IPv4 Default route
  Gateway                 : 192.169.1.1
  Netmask                 : 0.0.0.0


==================[ management0 ]===================
State                     : Enabled
Link                      : Up
Channels                  : Management & Events
Mode                      : Non-Autonegotiation 
MDI/MDIX                  : Auto/MDIX 
MTU                       : 1500
MAC Address               : x:FD:80
----------------------[ IPv4 ]----------------------
Configuration             : Manual
Address                   : 192.169.200.4
Netmask                   : 255.255.255.0
Gateway                   : 192.169.200.1
----------------------[ IPv6 ]----------------------
Configuration             : Disabled

===============[ Proxy Information ]================
State                     : Disabled
Authentication            : Disabled

======[ System Information - Data Interfaces ]======
DNS Servers               : 
Interfaces                : Ethernet1/2

==================[ Ethernet1/2 ]===================
State                     : Enabled
Link                      : Up
Name                      : Internal1
MTU                       : 1500
MAC Address               : x:FD:A5
----------------------[ IPv4 ]----------------------
Configuration             : Manual
Address                   : 192.169.200.4
Netmask                   : 255.255.255.0
----------------------[ IPv6 ]----------------------
Configuration             : Disabled

The working one initially had the .3 address before we switched it over to a data-interface for management (after which we gave it the .5). The other 3 we kept the same address after switching from management to data. 

Tomorrow I am going to attempt changing the address again to see if it will help it switch it over. My question is, 1) is that the correct thing to do and 2) Should I go out of my way to disable the management port? How would one do that? I assume disabling diagnostic0 from FMC isn't the same as disabling the management port.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card