cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3018
Views
0
Helpful
22
Replies

Firepower 2100, SSH is OK but https not working

APC-Shaban
Level 1
Level 1

Hi,

I have Firepower 2100 (Cisco Fire Linux OS v6.2.3 (build 13) Cisco Firepower 2110 Threat Defense v6.2.3 (build 83))

and my pc have IP is range: 172.31.31.x

SSH (IP: 172.31.31.254) is ok, , unable to access https, and unable to add management IPv4, when I add the IP it keep unassigned in the interface, 

configure network ipv4 manual 172.31.31.33 255.255.255.0 172.31.31.254 Management1/1

Below the running configuration: 


: Hardware: FPR-2110, 6843 MB RAM, CPU MIPS 1200 MHz, 1 CPU (6 cores)
:
NGFW Version 6.2.3
!
hostname firepower


!
interface Ethernet1/1
nameif outside
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0

!
interface Ethernet1/2
no nameif
no security-level
no ip address
!
interface Ethernet1/2.11
vlan 11
nameif admin1-wired
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 10.0.11.254 255.255.255.0
!
interface Ethernet1/2.12
vlan 12
nameif admin2-wired
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 10.0.12.254 255.255.255.0
!
interface Ethernet1/2.33
vlan 333
nameif power-users
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 172.31.33.254 255.255.255.0
!
interface Ethernet1/3
no nameif
no security-level
no ip address
!
interface Ethernet1/3.13
vlan 13
nameif service-wired
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 10.0.13.254 255.255.255.0
!
interface Ethernet1/3.14
vlan 14
nameif factory-wired
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 10.0.14.254 255.255.255.0
!
interface Ethernet1/3.20
vlan 20
nameif wireless-users
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 10.0.20.254 255.255.255.0
!
interface Ethernet1/4
no nameif
no security-level
no ip address
!
interface Ethernet1/4.329
vlan 329
nameif vp
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 172.31.29.254 255.255.255.0
!
interface Ethernet1/4.331
vlan 331
nameif it
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 172.31.31.254 255.255.255.0
!
interface Ethernet1/5
nameif servers
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 10.0.100.254 255.255.255.0
!
interface Ethernet1/6
no nameif
no security-level
no ip address
!
interface Ethernet1/6.21
vlan 21
nameif guest
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 192.168.250.254 255.255.255.0
!
interface Ethernet1/6.22
vlan 22
nameif guest-vp
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 192.168.251.254 255.255.255.0
!
interface Ethernet1/7
nameif wireless-mgmnt
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 172.31.32.254 255.255.255.0
!
interface Ethernet1/8
nameif surveillance_interface
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 10.0.101.254 255.255.255.0
!
interface Ethernet1/9
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/10
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/11
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/12
nameif sw-mgmnt
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 172.31.30.254 255.255.255.0
!
interface Ethernet1/13
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/14
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/15
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/16
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
nameif mgmnt
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
no ip address
!

http server enable
http 172.31.31.0 255.255.255.0 it
http 192.168.1.0 255.255.255.0 outside

 

22 Replies 22

Yes I did, nothing changed. but what is the OOB IP Address 172.31.31.180 ? is it the IP for Management port ?

 

As the command show network isn't showing output, I do not know what your management IP is.  You could go into expert mode and issue the command ifconfig management0 and see what it shows.  This should give you the IP of the management interface.

 

--
Please remember to select a correct answer and rate helpful posts

Unfortunately, this command not available in expert mode too, may i know if I can renew the certificate of the FTD, is it possible that the certificate has expired and the browser does noes not allow me to access to https ?

Then in expert mode just issue the command ifconfig and then review all the interfaces.  By the way, are you managing this device via FMC or FDM?

If it was a certificate issue, you would receive a certificate error when connecting.  If the management IP is not being populated then there might be a hardware issue with the management interface or the chassis.

--
Please remember to select a correct answer and rate helpful posts

Marvin Rhoads
Hall of Fame
Hall of Fame

Are you using this in  production? I note that you are running Firepower 6.2.3 which is an EXTREMELY old version. If the device is not in production, I would recommend reimaging it altogether to version 7.2.2.

For the https access, can you cconfirm that you are trying to access from one of the permitted subnets via the indicated interface? i.e.:

http 172.31.31.0 255.255.255.0 it
http 192.168.1.0 255.255.255.0 outside

Yes it is in production, and regarding access, yes i am using the subnet: 172.31.31.0 255.255.255.0

Your device appears to be unhealthy. Reviewing the thread, neither "show version" nor "show network" yield any output. Those should both work on any FTD device.If they don't, something is broken at a low level.

If you have support I would recommend opening a TAC case.

I think you need to get TAC to take a look at this.  This is a possible RMA.  That there is no output in show network is not good.

--
Please remember to select a correct answer and rate helpful posts
Review Cisco Networking for a $25 gift card