05-11-2020 02:23 AM
Hi All,
I have FMC managing an FTD HA Pair that are not connected on any data interface until migration, they are obviously up on their respective management interfaces, they are living on 4110 Chassis, I am in the final few weeks until migration and have notice that no FQDNs are not resolving to IPs.
I have been looking at this for reference - https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/214698-understand-fqdn-feature-on-firepower-thr.html
This is what we have setup;
DNS Server group under objects;
DNS setup for FTDs in Platform policy - this is applied to the HA Pair
but i cannot resolve from FTD;
Any ideas?
Solved! Go to Solution.
05-11-2020 04:05 AM
05-11-2020 02:34 AM
05-11-2020 02:39 AM
05-11-2020 03:07 AM
Another interesting thing to note, i can't seem to ping one of the DNS servers via the management interface from LINA, is this normal?
but if i drop back to FTD....then i can perform a lookup
05-11-2020 04:05 AM
05-11-2020 05:11 AM
Hey RJI,
We are running 6.6.0
thanks for the confirmation, that's disappointing that you cant configure it to use the management interface, but i suppose the management interface could be overwhelmed in extreme circumstances.....
05-11-2020 05:59 AM - edited 05-11-2020 06:07 AM
The management interface can do DNS lookups for management purposes only if there is a name server configured and a route to it (either set during the initial bootstrap or later as a "management-only" route).
Note that DNS configuration for management will never be used for traffic via the data interfaces.
> show version ---------[ vftd-new.ccielab.mrneteng.com ]---------- Model : Cisco Firepower Threat Defense for VMWare (75) Version 6.6.0 (Build 90) UUID : 69c94e8a-92d2-11e7-b4ad-db36033706e7 Rules update version : 2020-05-06-001-vrt VDB version : 333 ---------------------------------------------------- > > show interface | include line Interface GigabitEthernet0/0 "Inside-Lab", is administratively down, line protocol is up Interface GigabitEthernet0/1 "Outside-Home", is administratively down, line protocol is up Interface GigabitEthernet0/2 "", is administratively down, line protocol is up Interface Management0/0 "diagnostic", is up, line protocol is up > > nslookup www.cisco.com Server: 172.31.1.8 Address: 172.31.1.8#53 Non-authoritative answer: www.cisco.com canonical name = www.cisco.com.akadns.net. www.cisco.com.akadns.net canonical name = wwwds.cisco.com.edgekey.net. wwwds.cisco.com.edgekey.net canonical name = wwwds.cisco.com.edgekey.net.globalredir.akadns.net. wwwds.cisco.com.edgekey.net.globalredir.akadns.net canonical name = e2867.dsca.akamaiedge.net. Name: e2867.dsca.akamaiedge.net Address: 23.14.199.30
05-11-2020 02:10 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide