cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
726
Views
0
Helpful
5
Replies

Cisco ASA FTD br1 management interface

Hello, 

I have Cisco ASA5508-X Threat Defense (75) Version 7.0.2 (Build 88). 

Image upgraded without any issues in accordance with this instruction via management interface in "rommon" and "firepower-boot>" modes https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200884-installing-and-upgrading-firepower-threa.html

Then tansparent firewall mode is configured and FTD management interface br1 is configured in accordance with the instruction: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/212420-configure-firepower-threat-defense-ftd.html

configure network ipv4 manual 192.168.11.2 255.255.255.0 192.168.11.1

As, I see, management interface on ASA and on neighboring device is UP (and I tried to use 5 different devices to test - 2 switches, 2 PCs, one router):

> show network
===============[ System Information ]===============
Hostname : Aspire
DNS Servers : 8.8.8.8
DNS from router : enabled
Management port : 8305
IPv4 Default route
Gateway : 192.168.11.1
Netmask : 0.0.0.0


======================[ br1 ]=======================
State : Enabled
Link : Up
Channels : Management & Events
Mode : Non-Autonegotiation
MDI/MDIX : Auto/MDIX
MTU : 1500
MAC Address : C0:14:FE:7E:FE:68
----------------------[ IPv4 ]----------------------
Configuration : Manual
Address : 192.168.11.2
Netmask : 255.255.255.0
Gateway : 192.168.11.1
----------------------[ IPv6 ]----------------------
Configuration : Disabled

===============[ Proxy Information ]================
State : Disabled
Authentication : Disabled

But the network doesn't work, no pings response, no ARPs even no any outgoing packets from Cisco ASA management interface:

> ping system 192.168.11.112
PING 192.168.11.112 (192.168.11.112) 56(84) bytes of data.
^C
--- 192.168.11.112 ping statistics ---
8 packets transmitted, 0 received, 100% packet loss, time 291ms

> show arp
>
>

The same result I'm getting in expert mode:

> expert
^[[8;49;101tTerminal size: 101x49

admin@firepower:~$
admin@firepower:~$
admin@firepower:~$ ifconfig
br0 Link encap:Ethernet HWaddr 00:00:00:04:00:01
inet addr:127.0.4.1 Bcast:127.0.255.255 Mask:255.255.0.0
inet6 addr: fe80::1804:49ff:fe96:e7be/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:26 errors:0 dropped:0 overruns:0 frame:0
TX packets:20 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1552 (1.5 KiB) TX bytes:1476 (1.4 KiB)

br1 Link encap:Ethernet HWaddr c0:14:fe:7e:fe:68
inet addr:192.168.11.2 Bcast:192.168.11.255 Mask:255.255.255.0
UP BROADCAST RUNNING MTU:1500 Metric:1
RX packets:91014 errors:0 dropped:0 overruns:0 frame:0
TX packets:49470 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4524132 (4.3 MiB) TX bytes:2078788 (1.9 MiB)

ccl_ha_tap_nlp Link encap:Ethernet HWaddr 8a:c5:5a:c8:68:4c
inet6 addr: fe80::88c5:5aff:fec8:684c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1300 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:26 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:1916 (1.8 KiB)

ctl_ha_tap_nlp Link encap:Ethernet HWaddr a2:b1:cc:37:38:31
inet6 addr: fe80::a0b1:ccff:fe37:3831/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1300 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:26 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:1916 (1.8 KiB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.255.255.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:61252 errors:0 dropped:0 overruns:0 frame:0
TX packets:61252 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:5772857 (5.5 MiB) TX bytes:5772857 (5.5 MiB)

tap0 Link encap:Ethernet HWaddr 5a:7a:1e:25:5d:25
inet addr:127.0.2.2 Bcast:127.0.2.255 Mask:255.255.255.0
inet6 addr: fe80::587a:1eff:fe25:5d25/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:26 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:1916 (1.8 KiB)

tap1 Link encap:Ethernet HWaddr ce:41:12:34:46:e4
inet6 addr: fe80::cc41:12ff:fe34:46e4/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:731 errors:0 dropped:0 overruns:0 frame:0
TX packets:44 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:42806 (41.8 KiB) TX bytes:3216 (3.1 KiB)

tap2 Link encap:Ethernet HWaddr 8e:5f:4e:ab:6e:49
inet6 addr: fe80::8c5f:4eff:feab:6e49/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:91014 errors:0 dropped:0 overruns:0 frame:0
TX packets:49496 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:5798328 (5.5 MiB) TX bytes:2080704 (1.9 MiB)

tap3 Link encap:Ethernet HWaddr 1a:04:49:96:e7:be
UP BROADCAST PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

tap4 Link encap:Ethernet HWaddr c0:14:fe:7e:fe:68
UP BROADCAST PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

tap5 Link encap:Ethernet HWaddr 7e:18:34:32:ed:b2
inet6 addr: fe80::7c18:34ff:fe32:edb2/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:97464 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

tap_nlp Link encap:Ethernet HWaddr 0e:a3:94:a7:2f:4d
inet6 addr: fd00:0:0:1::2/64 Scope:Global
inet6 addr: fe80::ca3:94ff:fea7:2f4d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5 errors:0 dropped:0 overruns:0 frame:0
TX packets:28 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:370 (370.0 B) TX bytes:2172 (2.1 KiB)

tap_nlp:1 Link encap:Ethernet HWaddr 0e:a3:94:a7:2f:4d
inet addr:169.254.1.2 Bcast:169.254.1.7 Mask:255.255.255.248
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

tun1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:169.254.0.1 P-t-P:169.254.0.1 Mask:255.255.0.0
inet6 addr: fdcc::bd:0:ffff:a9fe:1/64 Scope:Global
inet6 addr: fe80::1bc9:c365:1662:4b63/64 Scope:Link
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:20 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:0 (0.0 B) TX bytes:960 (960.0 B)

admin@firepower:~$
admin@firepower:~$
admin@firepower:~$
admin@firepower:~$ ping 192.168.11.112
PING 192.168.11.112 (192.168.11.112) 56(84) bytes of data.
^C
--- 192.168.11.112 ping statistics ---
15 packets transmitted, 0 received, 100% packet loss, time 599ms

admin@firepower:~$ arp -a
? (192.168.11.112) at e0:70:ea:55:44:16 [ether] on br1
? (192.168.11.1) at <incomplete> on br1
admin@firepower:~$

From what I see in neighboring devices statistics and on packet capture there is literally zero outgoing packets from Cisco ASA management interface.

Please kindly help with this, as I have no ideas what else to do this fix that.  

1 Accepted Solution

Accepted Solutions

Hello, this is fixed now. The problem was that in rommon register setting was wrong, now this is changed to 0x1 and the system works well. 

View solution in original post

5 Replies 5

Do you see the MAC address "C0:14:FE:7E:FE:68" of the FTD on the switch port where it is connected?

No, I don't see any MAC from ASA side is switch MAC table. Moreover there
are no packets from ASA side, but an interface is UP.

This is tested with several different devices...

Not really sure then. If you try to disconnect the network cable connected to the management port, does it show the link down?

Yes, when I disconnect the cable, this br1 interface goes down.

Hello, this is fixed now. The problem was that in rommon register setting was wrong, now this is changed to 0x1 and the system works well. 

Review Cisco Networking for a $25 gift card