cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
742
Views
0
Helpful
3
Replies

Cisco FTDv in Azure and issue with Probes (SSH TCP Port 22)

IamSamSaul
Beginner
Beginner

Hello Team!

 

I got a Cisco FTD cluster (managed by Cisco FMC) deployed in Azure. I have configured loadbalancer so that the traffic is evenly balanced between the two FTDv devices because there is no concept of HA in Azure. The loadbalance are probing (Health Probes) the FTDv on TCP port 22 (SSH) to check the availability of both FTDv's. If the loadbalancer doesn't get a response from FTDv on probes (TCP port 22 SSH) the device is marked as unavailable and no traffic is send to the device. 

 

I have created ACP rules for the probes from Azure IP address 168.63.129.16 and I can see the events. Somehow the Azure can't probe the FTDv's and they are marked as "dead" and no traffic are routed through the firewalls. When this is happening I logged into firewall and it seems everything is working fine and I can't see any blocked events or Azure IP address 168.63.129.16. 

 

Has someone got a similar issue and I hope to receive suggestions on how to troubleshoot this issue. 

 

Thanks & Regards,

Sam

3 Replies 3

UdupiKrishna
Cisco Employee
Cisco Employee

Provided the routing of this traffic is configured properly, these health probes are "to" the firewall itself and ACP rules are generally meant for traffic which is "through" the firewall, you need to permit SSH via the platform settings attached to this FTD pair.

 

Navigate to the platform settings, under secure shell select the correct interfaces and permit any-ipv4 address for testing and deploy the policy. Verify the outcome, it would be a good idea to run packet captures if needed.

 

Thanks for your reply. I have already configured ssh with any under the
Platform settings. Under the ACP I can see hits from probes on port 22 ssh.

Regards,
Sam


Alright thats a good first step. Run a capture to see if its landing on the correct interface and there are responses going back to complete a proper 3-way handshake. If it isnt, there's obviously some sort of connectivity failure.

 

This should be a good reference article to confirm everything is in place - https://jackstromberg.com/2019/06/deploying-cisco-virtual-appliances-ngfwv-on-azure/

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: