Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6397
Views
5
Helpful
4
Replies

Firepower 1120: sftunnel-status connection never happened after reboot

MaErre21325
Level 1
Level 1

‎10-12-2021 01:36 AM - edited ‎10-12-2021 01:38 AM

Hello everybody,

 

after an electrical maintanance, our FTD is no longer registrated to FMC, thought was due to this bug: CSCvs98328 , but as you can see, even forcing the correct ntp it is still reporting :"Connection to peer '10.1.1.1' never happened".

The managers have been correctly added with the "configure manager add" command:

 

Cisco Firepower 1120 Threat Defense v6.6.4 (build 64)

> show managers

Type                      : Manager

Host                      : 10.1.1.1

Registration              : Completed

 

Type                      : Manager

Host                      : 10.1.1.2

Registration              : Completed

 

trying to force ntp as per CSCvs98328:

root@-FW:/home/admin# ntpdate -u internalt.ntp.org

5 Oct 09:39:09 ntpdate[15009]: step time server xx.xxx.xxx.xxx offset -36.7659 sec

root@-FW:/home/admin# date

Tue Oct  5 09:39:19 UTC 2021

root@-FW:/home/admin# pmtool restartbyid sftunnel

root@-FW:/home/admin# exit

exit

> sftunnel-status

SFTUNNEL Start Time: Tue Oct  5 09:40:02 2021

 

        Both IPv4 and IPv6 connectivity is supported

        Broadcast count = 0

        Reserved SSL connections: 0

        Management Interfaces: 1

        management0 (control events) 10.1.1.5

 

**RUN STATUS****10.1.1.1*************

        Connected: No

        SSL Verification status: ok

        Registration: Completed.

        Connection to peer '10.1.1.1' never happened

        Connection to peer '10.1.1.1' Attempted at Tue Oct  5 09:40:15 2021

 

do you have any suggestions to solve this problem?

both ftd and fmc are version 6.6.4.

 

Best regards

1 person had this problem
4 Replies 4

Chakshu Piplani
Cisco Employee
Cisco Employee

‎10-12-2021 11:32 PM

I see you have got FMC HA by any chance is 10.1.1.2 the active FMC.

How does the GUI looks like on FMC, are you getting alerts on FMC for appliance heartbeats?

 

Regards,

Chakshu

 

Do rate helpful posts!

0 Helpful

MaErre21325
Level 1
Level 1
In response to Chakshu Piplani

‎10-13-2021 12:56 AM

Hi Chakshu,

 

yes we have fmc ha, in the gui we see heartbeats error, the strange thing is that the ftd is reachable via ssh, but e.g if we deploy a new policy, it fails due to the sftunnel down.

i've also tried this procedure with no results:

 

> expert
admin@FTDv:~$ sudo su
Password:
root@FTDv:/home/admin# manage_procs.pl
****************  Configuration Utility  **************
1   Reconfigure Correlator
2   Reconfigure and flush Correlator
3   Restart Comm. channel
4   Update routes
5   Reset all routes
6   Validate Network
0   Exit
**************************************************************

0 Helpful

#TCN
Level 1
Level 1

‎05-16-2022 05:39 AM

Hello All 

I have a very similar issue to the above.

 

FMC/FTD 1120 code 6.6.5 running HA 

> sftunnel-status

SFTUNNEL Start Time: Mon May 16 12:11:48 2022

Both IPv4 and IPv6 connectivity is supported
Broadcast count = 1
Reserved SSL connections: 0
Management Interfaces: 1
management0 (control events) 10.10.10.10,

***********************

**RUN STATUS****10.10.10.10*************
Connected: No
SSL Verification status: ok
Registration: Completed.
Connection to peer '10.10.10.10' never happened
Connection to peer '10.10.10.10' Attempted at Mon May 16 12:23:23 2022

 

 

**RPC STATUS****10.10.10.10*************
RPC status :Failed
Check routes:
No peers to check

 

Running the below on the FTD or FMC makes no difference 

 

> expert
admin@FTDv:~$ sudo su
Password:
root@FTDv:/home/admin# manage_procs.pl
****************  Configuration Utility  **************
1   Reconfigure Correlator
2   Reconfigure and flush Correlator
3   Restart Comm. channel
4   Update routes
5   Reset all routes
6   Validate Network
0   Exit
**************************************************************

 

This was following a power cut and the time/date was way out on the primary unit JAN 2015

 

I managed to bring the time closer via expert mode:

date -s "16 MAY 2022 11:00:00"

 

Time looks acceptable now however the SFtunnel remains down .....I was going to reboot FTD / FMC again following the time change but are there any other suggestions? 

 

Unable to perform anything on the managed FTD at this stage,

 

Cheers, 
#TCN

0 Helpful

Skjalg Eggen
Level 1
Level 1
In response to #TCN

‎09-04-2022 03:16 PM

Been a long time since this update, but it helped me get my Firepower 1010 back online with FMC.

Turns out the 1010 thought it was the year 2034

sftunnel_status.pl

SFTUNNEL Start Time: Mon Sep 4 22:01:57 2034

Set the time per this post with: date -s "Mon Sep 4 22:14:00 UTC 2022"

then I restarted the sftunnel process on the 1010: # pmtool restartbyid sftunnel

and it worked

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card