Solved: Firepower 1010 - Unable to download Geo/Intrusion/VDB updates

Squared · ‎03-08-2021

I have a strange issue on a fresh installed Firepower 1010 box.

The firewall has a normal internet connection configured, and is registered with it's smartnet contract.

It is able to get the hourly Security intelligence feeds, but fails the geo, intrusion and vdb updates.

I can install them manually by downloading from cisco and uploading to the device, but i prefer the daily automatic updates offcourse.

The error in FMC says: Connectivity problems. Unable to download the rule update. Please try again later.

Any clue on this?

I was thinking MTU issues because i use a PPPoE connection, but after lowering MTU on the outside interface to 1448, i still have the issue. (I cannot find a setting for MSS-clamping)

Squared · ‎03-08-2021

I did some digging into TCP MSS, and created a flexconfig policy with MTU 1448: (1448 by my ISP advice)

sysopt connection tcpmss 1448

With that setting applied, i can connect to the SSL port, and i can retrieve the updates.

View solution in original post

balaji.bandi · ‎03-08-2021

before we look MTU Settings, make sure device has reachability to cisco sites :

https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118791-technote-firesight-00.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Squared · ‎03-08-2021

Thanks for your fast reply!

It seems like there is something with the connection; the hostname does resolve, but the SSL connection doesn't work as expected, there is no certifcate coming up:

admin@FP-1010:~$ dig support.sourcefire.com

; <<>> DiG 9.10.2-P4 <<>> support.sourcefire.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36052
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;support.sourcefire.com. IN A

;; ANSWER SECTION:
support.sourcefire.com. 3600 IN A 50.16.210.129
support.sourcefire.com. 3600 IN A 50.19.123.95
support.sourcefire.com. 3600 IN A 54.221.210.248

;; Query time: 84 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Mon Mar 08 09:42:06 UTC 2021
;; MSG SIZE rcvd: 99

admin@FP-1010:~$ sudo openssl s_client -connect support.sourcefire.com:443
CONNECTED(00000003)

balaji.bandi · ‎03-08-2021

have you registered the device with a smart license? is this a first-time setup or a working one broken?

if this is the first time, the device needs to register to the smart License to get updates.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Squared · ‎03-08-2021

The unit has been freshly installed (6.6.1) and registered with a smartcontract.

According to the firewall, all connections are fine:

The weird thing is that the hourly Security Intelligence Feeds are being downloaded.

Squared · ‎03-08-2021

I did some digging into TCP MSS, and created a flexconfig policy with MTU 1448: (1448 by my ISP advice)

sysopt connection tcpmss 1448

With that setting applied, i can connect to the SSL port, and i can retrieve the updates.