Re: Firepower 1140 FDM Smart License Issue

Abdulahad · ‎12-17-2023

Dear Team,

I am encountering difficulties registering a Firepower 1140 using FDM. While I can successfully ping 8.8.8.8, attempting to ping "google.com" fails, indicating a potential DNS issue.

Allow me to provide additional context regarding the device's connectivity. The inside interface is utilized for FTD management, and the outside interface is connected to a router. The management interface remains unconnected.

I have configured a group of DNS servers as DHCP servers within the firewall. Users receive IP addresses and DNS information, enabling internet access without issues. However, when attempting to ping "google.com" from the FTD, the operation fails, although pinging 8.8.8.8 is successful.

I would appreciate guidance on resolving this DNS-related challenge. Your assistance is invaluable in ensuring seamless connectivity for both FTD management and user-side internet access.

Rob Ingram · ‎12-17-2023

@Abdulahad if you think it is a DNS issue login to the CLI of the FTD, run system support diagnostic-cli then run debug dns. Ping a DNS name such as google.com, the debug output will confirm which DNS group was used to attempt to resolve the hostname (if any). DNS may not be enabled on the outside interface, in which case login to the GUI, navigate to System Settings > DNS servers and configure the correct interface.

Abdulahad · ‎12-17-2023

First of all, thank you for your reply. I'd like to clarify one thing: my management interface is not connected to anything, and I am using the inside interface to manage the device. The inside interface is NATed through the outside interface. I am wondering if Smart License can use the data interface. Also, from the FDM console, I can ping 8.8.8.8, but I can't ping google.com. Thanks."

Rob Ingram · ‎12-17-2023

@Abdulahad you don't need to use the management interface. You can select the outside data interface to perform the DNS lookups, this may then resolve your problem with the FTD contacting smart licensing.

Get DNS working, troubleshoot as per the suggestion above.

Abdulahad · ‎12-18-2023

Before enrolling in Cisco Success Network, you must enroll the device in cloud.
Cloud Services
18 Dec 2023
02:47 PM
18 Dec 2023
02:47 PM
The device enrollment with the Cisco cloud was not started due to Smart License registration failure.
Cisco Smart Software Manager Registration
18 Dec 2023
02:47 PM
18 Dec 2023
02:47 PM
The device was unable to connect to the Smart Licensing server. This might indicate a gateway problem for the management interface. Please select Evaluation Mode for now. Then, after completing setup, go to Device > System Settings > Management Interface and verify the management address and gateway configuration. There must be a path from the management IP address to the Internet to complete Smart License registration. You can then go to Device > Smart License and try registering again.
Enabling of Success Network
18 Dec 2023
02:43 PM
18 Dec 2023
02:43 PM
Before enrolling in Cisco Success Network, you must enroll the device in cloud.
Cloud Services
18 Dec 2023
02:42 PM
18 Dec 2023
02:43 PM
The device enrollment with the Cisco cloud was not started due to Smart License registration failure.
Cisco Smart Software Manager Registration
18 Dec 2023
02:42 PM
18 Dec 2023
02:42 PM
The device was unable to connect to the Smart Licensing server. This might indicate a gateway problem for the management interface. Please select Evaluation Mode for now. Then, after completing setup, go to Device > System Settings > Management Interface and verify the management address and gateway configuration. There must be a path from the management IP address to the Internet to complete Smart License registration. You can then go to Device > Smart License and try registering again.

Abdulahad · ‎12-18-2023

I can ping google.com and tools.cisco.com but the device is is giving the error above

Abdulahad · ‎12-18-2023

I have followed your instructions, and the DNS issue has been resolved. As I mentioned, I am now able to ping both google.com and tools.cisco.com. However, when attempting to register, I encountered an error indicating that the device couldn't connect to the Smart Licensing server. This error may suggest a gateway problem for the management interface.

Rob Ingram · ‎12-18-2023

@Abdulahad

https://www.cisco.com/c/en/us/td/docs/security/firepower/720/fdm/fptd-fdm-config-guide-720/fptd-fdm-system.html?bookSearch=true#task_1802F403A16E4AC98AD9BB64E98A9D3A

https://www.cisco.com/c/en/us/td/docs/security/firepower/720/fdm/fptd-fdm-config-guide-720/fptd-fdm-system.html?bookSearch=true#id_122120

Abdulahad · ‎12-18-2023

Thank you, Rob. According to the document, I should "Use the Data Interfaces as the Gateway." This option is recommended when there isn't a separate management network connected to the Management interface. Traffic is routed to the internet based on the routing table, usually passing through the outside interface.

In line with this, I have connected the management interface to a switch and assigned it an IP within the same subnet as the data interface. For my infrastructure, the inside or data interface uses the IP 192.168.1.1/24. Consequently, I have set the management IP to 192.168.1.x and configured the DNS. I will try this i will let you know, thanks

Abdulahad · ‎12-18-2023

I am encountering the following error: "You must specify a static address for the management IP when you route management traffic through the data interfaces. Using a DHCP client to obtain an address is not allowed." For IPv4, I have manually set the address to 192.168.1.144/24, and for IPv6, I have left it blank. Although DHCP is enabled, I cannot find the option to disable it. Any guidance on resolving this issue would be appreciated