Re: Firepower 2100, SSH is OK but https not working

APC-Shaban · ‎01-15-2023

Hi,

I have Firepower 2100 (Cisco Fire Linux OS v6.2.3 (build 13) Cisco Firepower 2110 Threat Defense v6.2.3 (build 83))

and my pc have IP is range: 172.31.31.x

SSH (IP: 172.31.31.254) is ok, , unable to access https, and unable to add management IPv4, when I add the IP it keep unassigned in the interface,

configure network ipv4 manual 172.31.31.33 255.255.255.0 172.31.31.254 Management1/1

Below the running configuration:

: Hardware: FPR-2110, 6843 MB RAM, CPU MIPS 1200 MHz, 1 CPU (6 cores)
:
NGFW Version 6.2.3
!
hostname firepower

!
interface Ethernet1/1
nameif outside
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0

!
interface Ethernet1/2
no nameif
no security-level
no ip address
!
interface Ethernet1/2.11
vlan 11
nameif admin1-wired
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 10.0.11.254 255.255.255.0
!
interface Ethernet1/2.12
vlan 12
nameif admin2-wired
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 10.0.12.254 255.255.255.0
!
interface Ethernet1/2.33
vlan 333
nameif power-users
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 172.31.33.254 255.255.255.0
!
interface Ethernet1/3
no nameif
no security-level
no ip address
!
interface Ethernet1/3.13
vlan 13
nameif service-wired
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 10.0.13.254 255.255.255.0
!
interface Ethernet1/3.14
vlan 14
nameif factory-wired
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 10.0.14.254 255.255.255.0
!
interface Ethernet1/3.20
vlan 20
nameif wireless-users
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 10.0.20.254 255.255.255.0
!
interface Ethernet1/4
no nameif
no security-level
no ip address
!
interface Ethernet1/4.329
vlan 329
nameif vp
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 172.31.29.254 255.255.255.0
!
interface Ethernet1/4.331
vlan 331
nameif it
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 172.31.31.254 255.255.255.0
!
interface Ethernet1/5
nameif servers
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 10.0.100.254 255.255.255.0
!
interface Ethernet1/6
no nameif
no security-level
no ip address
!
interface Ethernet1/6.21
vlan 21
nameif guest
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 192.168.250.254 255.255.255.0
!
interface Ethernet1/6.22
vlan 22
nameif guest-vp
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 192.168.251.254 255.255.255.0
!
interface Ethernet1/7
nameif wireless-mgmnt
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 172.31.32.254 255.255.255.0
!
interface Ethernet1/8
nameif surveillance_interface
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 10.0.101.254 255.255.255.0
!
interface Ethernet1/9
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/10
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/11
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/12
nameif sw-mgmnt
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 172.31.30.254 255.255.255.0
!
interface Ethernet1/13
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/14
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/15
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/16
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
nameif mgmnt
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
no ip address
!

http server enable
http 172.31.31.0 255.255.255.0 it
http 192.168.1.0 255.255.255.0 outside

Marius Gunnerud · ‎01-15-2023

Are you trying to manage the FTD device using FMC or FDM?

Issue the command show managers to see how the FTD is currently being managed

If you are trying to use FDM you need to configure the following command on the CLI:

configure manager local

--
Please remember to select a correct answer and rate helpful posts

APC-Shaban · ‎01-16-2023

Thanks for your reply,,,

I am trying to use FDM
> show managers
Managed locally.

But why Firepower refuse to assign IP to management1/1, no error when assign the ipv4 using the command ?

APC-Shaban · ‎01-16-2023

Ethernet1/2.11 10.0.11.254 YES CONFIG up up
Ethernet1/2.12 10.0.12.254 YES CONFIG up up
Ethernet1/2.33 172.31.33.254 YES CONFIG up up
Ethernet1/3 unassigned YES unset up up
Ethernet1/3.13 10.0.13.254 YES CONFIG up up
Ethernet1/3.14 10.0.14.254 YES CONFIG up up
Ethernet1/3.20 10.0.20.254 YES CONFIG up up
Ethernet1/4 unassigned YES unset up up
Ethernet1/4.329 172.31.29.254 YES CONFIG up up
Ethernet1/4.331 172.31.31.254 YES CONFIG up up
Ethernet1/5 10.0.100.254 YES CONFIG up up
Ethernet1/6 unassigned YES unset up up
Ethernet1/6.21 192.168.250.254 YES CONFIG up up
Ethernet1/6.22 192.168.251.254 YES CONFIG up up
Ethernet1/7 172.31.32.254 YES CONFIG up up
Ethernet1/8 10.0.101.254 YES CONFIG up up
Ethernet1/9 unassigned YES unset admin down down
Ethernet1/10 unassigned YES unset admin down down
Ethernet1/11 unassigned YES unset admin down down
Ethernet1/12 172.31.30.254 YES CONFIG up up
Ethernet1/13 unassigned YES unset admin down down
Ethernet1/14 unassigned YES unset admin down down
Ethernet1/15 unassigned YES unset admin down down
Ethernet1/16 unassigned YES unset admin down down
Internal-Data1/1 169.254.1.1 YES unset up up
Management1/1 unassigned YES unset up up
>

Marius Gunnerud · ‎01-16-2023

To see the FTD mgmt IP you need to use the command:

show network

The management plane on the FTD is seperate from the data plane by default and will not show in the output of show run. Is it still not present when issuing this show command?

--
Please remember to select a correct answer and rate helpful posts

APC-Shaban · ‎01-16-2023

Show network giving blank (no result)

Marius Gunnerud · ‎01-16-2023

could you elaborate more on "giving blank"? do you mean no IP is shown or there is no output at all?

You should be seeing something like the following:

> show network
===============[ System Information ]===============
Hostname                  : firepower
DNS Servers               : 208.67.222.222
                            208.67.220.220
Management port           : 8305
IPv4 Default route
  Gateway                 : 10.88.243.129

==================[ management0 ]===================
State                     : Enabled
Channels                  : Management & Events
Mode                      : Non-Autonegotiation 
MDI/MDIX                  : Auto/MDIX 
MTU                       : 1500
MAC Address               : 00:2C:C8:41:09:80
----------------------[ IPv4 ]----------------------
Configuration             : Manual
Address                   : 10.88.243.253
Netmask                   : 255.255.255.128
Broadcast                 : 10.88.243.255
----------------------[ IPv6 ]----------------------
Configuration             : Disabled

===============[ Proxy Information ]================
State                     : Disabled
Authentication            : Disabled

--
Please remember to select a correct answer and rate helpful posts

APC-Shaban · ‎01-16-2023

Yes no output

Marius Gunnerud · ‎01-16-2023

that is odd...are you trying to run FTD software on the device or ASA software?

Could you post the output of show version please.

--
Please remember to select a correct answer and rate helpful posts

Marius Gunnerud · ‎01-16-2023

Also, could you issue the command connect ftd and then again show network

--
Please remember to select a correct answer and rate helpful posts

APC-Shaban · ‎01-16-2023

Connect ftd is not available, only connect fxos, and no show network command in this mode.

Marius Gunnerud · ‎01-16-2023

Is this a newly purchased FTD?
If newly purchased, is it a used FTD or brand new?
If it is not newly purchased, has it worked previously? and has anything happed that might have caused this issue.

--
Please remember to select a correct answer and rate helpful posts

APC-Shaban · ‎01-16-2023

Is this a newly purchased FTD? No
If newly purchased, is it a used FTD or brand new?
If it is not newly purchased, has it worked previously? and has anything happed that might have caused this issue.

It was working but suddenly stop connecting to https, i contacted with the company that i purchased the device from, they did troubleshooting but found nothing.

Regarding connect ftd, I can not execute this command, only connect fxos is available.

APC-Shaban · ‎01-16-2023

I did connect ftd from fxos and it connected, but still show network giving nothing

Marius Gunnerud · ‎01-16-2023

Have you done a reboot of the device since the issue happened? I see the device has been rebooted 6 days ago, but was the issue present before this reboot?

If you have not performed a reboot since the issue occurred, would you be able to perform a reboot at some point in the near future?

--
Please remember to select a correct answer and rate helpful posts