Re: Cisco CSSM IP address for FTD

yuanqiao58820 · ‎08-08-2022

Hi friends

I have deployed several FTDs in the network, but there is a problem with registering these FTDs through the internal network. Routing information and firewall ACL need to be configured. What is the IP address of the relevant CSSM registration?

Thanks a lot in advance

Yuan

balaji.bandi · ‎08-08-2022

What is the IP address of the relevant CSSM registration?

if this is on-prem CSSM you can find the IP with your Infra team, since this is VM.

example config as below

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9500/software/release/16-10/configuration_guide/syst_mgmt/b_1610_sys_mgmt_9500_cg/cisco_smart_licensing_client.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

yuanqiao58820 · ‎08-08-2022

yuanqiao58820 · ‎08-08-2022

Hi Balaji

We are trying to connect onto Cisco.com directly for registration.

Does this domain(tools.cisco.com, correct me if I'm wrong) for registration have a set of IP addresses by different regions?

Based on the documents from this link, example configured as below: ip host tools.cisco.com ip-address

Example:

Device(config)# ip host tools.cisco.com 209.165.201.30

Marvin Rhoads · ‎08-08-2022

If possible, allow access to the FQDN tools.cisco.com. It normally resolves worldwide to:

Name: tools.cisco.com
Addresses: 2001:420:1201:5::a
72.163.4.38

...but that is subject to change.

yuanqiao58820 · ‎08-08-2022

Thanks a lot. I will keep it in mind regarding changes.

yuanqiao58820 · ‎08-11-2022

Hi Marvin

Whitelisted the IP and got the following results:

> ping 173.37.145.8
Sending 5, 100-byte ICMP Echos to 173.37.145.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 110/118/120 ms

The device was unable to connect to the Smart Licensing server. This might indicate a gateway problem for the management interface. Please select Evaluation Mode for now. Then, after completing setup, go to Device > System Settings > Management Interface and verify the management address and gateway configuration. There must be a path from the management IP address to the Internet to complete Smart License registration. You can then go to Device > Smart License and try registering again.

But registration is still failed. any more suggestions?

Thanks

balaji.bandi · ‎08-11-2022

Do you have any Firewall in the path, it requied 443 also to be open, (not just ping).

Follow below troubleshooting guide:

https://www.cisco.com/c/en/us/support/docs/switches/catalyst-9500-series-switches/214484-cisco-smart-licensing-troubleshooting.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

yuanqiao58820 · ‎08-11-2022

It might casued by the default syncro gateway of management, which has been set via data interface but not working, cannt receive any register packet from FW in the path.

balaji.bandi · ‎08-11-2022

try using that source interface to connect to tools.cisco.com

if that is not showing FW, that means may be need to look what path it taking to go out, setup that as source interface for the devices to connect to License Servers.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

yuanqiao58820 · ‎08-16-2022

Thank you very much for help.

It works now, but it is strange that only the primary FTDs of the HA pairs are synchronized with CSSM, based on the instance displayed in smart accounts.

yuanqiao58820 · ‎11-07-2022

Is it https based traffic? tcp 443? We need to minimize external threats from the internet.

We can register FTD to CSSM as an instance, but VBD update is interrupted. Any information regarding FQDN or IP address need to be whitelisted?

thanks

Marvin Rhoads · ‎11-07-2022

@yuanqiao58820

The required URL is tools.cisco.com (via https)

Please see this article for many more details:

https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/215838-fmc-and-ftd-smart-license-registration-a.html#anc4