Solved: Firepower 2110 ASA IMAGE- services using management interface not work

GiovanniStavale53399 · ‎04-25-2021

Hi everyone! I am trying to use RADIUS,DNS and NTP Services using Management Interface from Firepower 2110 ASA image. This interface has communication with the corporative network where the respective Servers reside. Below the configurations from Firepower ASA:

interface Management1/1
management-only
nameif management
security-level 100
ip address 10.192.37.13 255.255.255.0 standby 10.192.37.14

BRPRS1SECXFW003# sh route management-only

Routing Table: mgmt-only
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 10.192.37.1 to network 0.0.0.0

S* 0.0.0.0 0.0.0.0 [1/0] via 10.192.37.1, management
S 10.192.0.0 255.255.0.0 [1/0] via 10.192.37.1, management
C 10.192.37.0 255.255.255.0 is directly connected, management
L 10.192.37.13 255.255.255.255 is directly connected, management

Servers Address:

NTP/DNS - 10.192.0.30 and 31

firepower-2110 /system/services # show dns
Domain Name Servers:
IP Address: 10.192.0.52 Order: 0
IP Address: 10.192.0.53 Order: 1

firepower-2110 /system/services # show ntp-server

NTP server hostname:
Name Time Sync Status
------------------------------ ----------------
10.192.0.52 Not Available
10.192.0.53 Not Available

BRPRS1SECXFW003# show clock detail
21:47:29.539 UTC Sun Apr 25 2021
Time source is FXOS

firepower-2110 /system/services # show clock
Sun Apr 25 18:49:57 BRT 2021
firepower-2110 /system/services # show timezone
Timezone: America/Sao_Paulo

firepower-2110 /system/services # show ntp-server detail

NTP server hostname:
Name: 10.192.0.52
Time Sync Status: Unreachable Or Invalid Ntp Server
Error Msg: The host is temporarily unreachable or may not be a NTP host. You may give more time to it or configure another one.

Name: 10.192.0.53
Time Sync Status: Unreachable Or Invalid Ntp Server
Error Msg: The host is temporarily unreachable or may not be a NTP host. You may give more time to it or configure another one.

Marvin Rhoads · ‎05-07-2021

I am in the process of deploying a Firepower 2120 with ASA image and platform mode so I had the opportunity to resolve this issue firsthand.

I was able to get ntp to work by assigning a unique IP address to the fxos out-of-band interface (physically shared with the ASA management 1/1 interface on the chassis).

firepower-2120 /fabric-interconnect # set out-of-band static ip <address> netmask 255.255.255.0 gw <gateway address>
Warning: When committed, this change may disconnect the current CLI session
 and dhcp server will be disabled.
Use commit-buffer command to commit the changes.
firepower-2120 /fabric-interconnect* # commit-buffer

Once I did this, NTP quickly synced and the correct time was passed to the ASA running on the appliance.

firepower-2120# show ntp-overall-status 

    NTP Overall Time-Sync Status: Time Synchronized
firepower-2120# scope system
firepower-2120 /system # scope services
firepower-2120 /system/services # show ntp-server detail

NTP server hostname:
    Name: time.nist.gov
    Time Sync Status: Time Synchronized
    Error Msg:
firepower-2120 /system/services #

Be sure to have a valid DNS server configured if you are using FQDN(s) for the NTP server(s). Otherwise you can use IP addresses.

The following may also be useful:
https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/215468-configure-verify-and-troubleshoot-netwo.html#anc16

View solution in original post

balaji.bandi · ‎04-25-2021

A couple of things how is your configuration, what source use for NTP?

ntp server [ip address of NTP] source [interface name]

Another, is the NTP Server know how to reach back to ASA IP address?

Do you have any ACL which allows NTP ? or any ACL which deny on the Management network?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

balaji.bandi · ‎04-26-2021

Appologies you are right - i was referring traditionla ASa config :

here is FXOS ASA config - you right :

https://www.cisco.com/c/en/us/td/docs/security/asa/fxos/config/asa-2100-fxos-config/cli.html

Now i will check the reachability to IP address using manangment interface - 10.192.0.52 and did the NTP Server know routing back ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

GiovanniStavale53399 · ‎04-26-2021

Hi Balaji! thank you very much for your attention! We don´t have ACL on Management Interface 1/1 as you can see below:

BRPRS1SECXFW003# sh run access-group
access-group Outside_access_in in interface outside
access-group inside_access_in in interface inside

firepower-2110 /system/services # enter ntp-server 10.192.0.52
<CR>

The Firepower 2110 ASA image don´t have the option to assign the source interface on the ntp-server configuration as you can see below:

firepower-2110 /system/services # enter ntp-server 10.192.0.52
<CR>

GiovanniStavale53399 · ‎04-26-2021

Follow below the connectivity tests and Topology in attach. We have connectivity from the Server to Firepower ASA

FW-2# ping INT-FW2 10.192.37.13
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.192.37.13, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 80/86/90 ms

FW-1# ping INT-FW-1 10.192.37.13
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.192.37.13, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

FW-1# packet-tracer input FWPWR-IN udp 10.192.37.13 123 10.192.0.52 123

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-EXPORT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 700190621, packet dispatched to next module

Result:
input-interface: FWPWR-IN
input-status: up
input-line-status: up
output-interface: FWPWR-OUT
output-status: up
output-line-status: up
Action: allow

FWPR-2 xxxx udp 10.192.37.13 123 10.192.0.52 123

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in X.X.X.X 255.255.255.240

Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in X.X.X.X 255.255.252.0

Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 13
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 3640711285, packet dispatched to next module

Result:
input-interface: FWPW-IN
input-status: up
input-line-status: up
output-interface: FWPWR-OUT
output-status: up
output-line-status: up
Action: allow

BRPRS1SECXFW003# traceroute 10.192.0.52 source management

Type escape sequence to abort.
Tracing the route to 10.192.0.52

1 10.192.37.1 1 msec 1 msec 1 msec

Marvin Rhoads · ‎04-26-2021

You're moving back and forth between ASA cli and FXOS cli in your examples.

If the chassis (prompt "firepower-2110 /system/services #") is synced to ntp it should provide that time to the ASA logical device.The chassis will only use the management interface.

Alternatively, you have the option to independently sync the ASA (prompt "BRPRS1SECXFW003#") to the ntp servers. It's here that you can specify the source-interface.

GiovanniStavale53399 · ‎04-26-2021

Hi Mr. Rhoads! Thank you for your attention!!

We don´t have the option to configure ntp-server on ASA CLI with source interface as you can see below:

BRPRS1SECXFW003(config)# n?

configure mode commands/options:
name names nat net
no nve

exec mode commands/options:
no

The document that we´re using as a reference to configure that services is that Mr. Baladi posted here:

https://www.cisco.com/c/en/us/td/docs/security/asa/fxos/config/asa-2100-fxos-config/cli.html

We are trying to configure NTP/DNS and RADIUS services on Firepower 2110 with ASA IMAGE. This is the first time we have to configure it using this envinroment(Firepower + ASA Image)

Seeing FXOS cli below, the NTP service isn´t sincronized with NTP servers 10.192.0.52 and .53 yet:

firepower-2110 /system/services # show ntp-server

NTP server hostname:
Name Time Sync Status
------------------------------ ----------------
10.192.0.52 Not Available
10.192.0.53 Not Available

firepower-2110 /system/services # show ntp-server detail

NTP server hostname:
Name: 10.192.0.52
Time Sync Status: Unreachable Or Invalid Ntp Server
Error Msg: The host is temporarily unreachable or may not be a NTP host. You may give more time to it or configure another one.

Name: 10.192.0.53
Time Sync Status: Unreachable Or Invalid Ntp Server
Error Msg: The host is temporarily unreachable or may not be a NTP host. You may give more time to it or configure another one.

I have a doubt about the management-only feature.. I am not sure that this option permit the routing InsidexOutside or that option consider just to permit the routing OutsidexInside

interface Management1/1
management-only
nameif management
security-level 100
ip address 10.192.37.13 255.255.255.0 standby 10.192.37.14

Do you know about this?

Marvin Rhoads · ‎04-27-2021

Ah OK - I see. Have you set the gateway for the FX-OS management so that it knows how to reach the NTP servers?

https://www.cisco.com/c/en/us/td/docs/security/asa/fxos/config/asa-2100-fxos-config/cli.html#id_54695

Marvin Rhoads · ‎05-07-2021

I am in the process of deploying a Firepower 2120 with ASA image and platform mode so I had the opportunity to resolve this issue firsthand.

I was able to get ntp to work by assigning a unique IP address to the fxos out-of-band interface (physically shared with the ASA management 1/1 interface on the chassis).

firepower-2120 /fabric-interconnect # set out-of-band static ip <address> netmask 255.255.255.0 gw <gateway address>
Warning: When committed, this change may disconnect the current CLI session
 and dhcp server will be disabled.
Use commit-buffer command to commit the changes.
firepower-2120 /fabric-interconnect* # commit-buffer

Once I did this, NTP quickly synced and the correct time was passed to the ASA running on the appliance.

firepower-2120# show ntp-overall-status 

    NTP Overall Time-Sync Status: Time Synchronized
firepower-2120# scope system
firepower-2120 /system # scope services
firepower-2120 /system/services # show ntp-server detail

NTP server hostname:
    Name: time.nist.gov
    Time Sync Status: Time Synchronized
    Error Msg:
firepower-2120 /system/services #

Be sure to have a valid DNS server configured if you are using FQDN(s) for the NTP server(s). Otherwise you can use IP addresses.

The following may also be useful:
https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/215468-configure-verify-and-troubleshoot-netwo.html#anc16

GiovanniStavale53399 · ‎05-07-2021

Mr. Rhoads, thank you so much for your attention for this problem! You solved it!

We use an IP of the subnet 10.192.37.0/24, the same subnet of the ASA interface management as shown below:

firepower-2110 /fabric-interconnect # show config | in 10.192
set out-of-band static ip 10.192.37.15 netmask 255.255.255.0 gw 10.192.37.1

After that, the NTP service synchronized with NTP Server! evidences below:

firepower-2110 /system # sh ntp-overall-status

NTP Overall Time-Sync Status: Time Synchronized

firepower-2110 /system/services # show ntp-server detail

NTP server hostname:
Name: 10.192.36.50
Time Sync Status: Time Synchronized
Error Msg:

Thank you very much Mr.Rhoads!

GiovanniStavale53399 · ‎04-27-2021

Hi Mr Rhoads! We decided to keep the default configuration of the FXOS management interface, since the text below, informs that if we keep the default configuration, the FXOS sends the traffic through the backplane to the ASA data interfaces

Change the IP addresses or FXOS management gateway
You can change the FXOS management IP address on the FXOS CLI Firepower 2100 chassis. The default address is 192.168.45.45. You can also change the default gateway for FXOS management traffic. The default gateway is set to 0.0.0.0, which sends FXOS traffic over the backplane to be routed through the ASA data interfaces. I am not sure if our decision is correct.

Marvin Rhoads · ‎04-29-2021

@GiovanniStavale53399 I see. Have you checked the ASA data interface to see if the traffic for NTP synchronization is even leaving the box?