Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1400
Views
5
Helpful
2
Replies

Firepower 4110 reachability

Go to solution
ciscoworlds
Level 4
Level 4

‎03-12-2019 02:24 AM

Hi. I have a Firepower 4110 device which my colleague has reset its password. Now we can ping its management IP address but cannot connect to that IP address via HTTP(s)/Telnet/SSH. Even I didn't managed to connect to that IP address while I attached my computer directly to that management port via an Ethernet cable, but as I said, the ping works fine. I connected my pc to the console port of the device and got these outputs:

 

FTD4110# scope system 
FTD4110 /system # show firmware monitor 
FPRM:
    Package-Vers: 2.4(1.214)
    Upgrade-Status: Ready

Fabric Interconnect A:
    Package-Vers: 2.4(1.214)
    Upgrade-Status: Ready

Chassis 1:
    Server 1:
        Package-Vers: 2.4(1.214)
        Upgrade-Status: Ready

and:

FTD4110# show system 

Systems:
    Name       Mode        System IP Address System IPv6 Address
    ---------- ----------- ----------------- -------------------
    FTD4110    Stand Alone 10.106.6.194      ::

There is no "Connect ftd" command, (I mean "ftd" keyword) on the FXOS CLI. How could I re-innitiate the initial configuration setup or know if FTD has been installed on the device. 

FTD4110# connect ?
  adapter     Mezzanine Adapter
  cimc        Cisco Integrated Management Controller
  fxos        Connect to FXOS CLI
  local-mgmt  Connect to Local Management CLI
  module      Security Module Console

 

I used the "connect fxos A" command and ran "show run" and this is the output. It seems the device has some configs but I don't know if this is the reason that I cannot connect to the management port of the 4110 chassis. 

FTD4110(fxos)# show running-config
!
version 5.0(3)N2(4.41)
switchname FTD4110
!
feature npiv
feature telnet
feature tacacs+
no cfs distribute
feature private-vlan
feature port-security
feature udld
feature lacp
feature vmfex
feature lldp
feature fex
feature network-segmentation-manager
!
ip domain-lookup
aaa group server tacacs+ tacacs
!
mac access-list ssp_acl_ccl_tcp_dst
mac access-list ssp_acl_ccl_tcp_src
mac access-list ssp_acl_ccl_udp_dst
mac access-list ssp_acl_hb
  10 permit any any vlan 4047
mac access-list ssp_acl_mgmt
!
fex management-instance 9e9c4214-40d4-11e9-8efa-ed40b3863645 fabric 1
ntp master 8
!
vrf context management
vlan 1,101-148,1001-1048,2001
vlan 4044
  name SAM-vlan-management
vlan 4047
  name SAM-vlan-boot
no spanning-tree vlan 1-3967,4044-4093
vethernet auto-create
port-profile default max-ports 512
port-profile default port-binding static
port-profile type vethernet NSM_template_vlan
  guid 25c7cc21-4efb-49c3-8474-c84aeddd381a
  no shutdown
  description ort-profile for VLAN networks. Do not delete.
  state enabled
port-profile type vethernet NSM_template_segmentation
  guid 088f6ef5-9091-4712-a815-b6cf0bebe641
  no shutdown
  description ort-profile for VXLAN networks. Do not delete.
  state enabled
port-profile type vethernet ucsm_internal_rackserver_portprofile
  guid c86b9396-d1e4-41d9-95f5-a1e9c2f15c16
  switchport trunk allowed vlan 4044
  switchport mode trunk
  no shutdown
  max-ports 320
  state enabled
  dvs-name all
!
interface port-channel48
  description U: Uplink
  switchport mode dot1q-tunnel
  lacp suspend-individual
  lacp max-bundle 16
  switchport trunk native vlan 1048
  speed 10000
  duplex full
!
interface Ethernet1/1
  description U: Uplink
  no cdp enable
  switchport mode dot1q-tunnel
  switchport trunk native vlan 101
  duplex full
  udld disable
!
interface Ethernet1/2
  description U: Uplink
  no cdp enable
  switchport mode dot1q-tunnel
  switchport trunk native vlan 102
  duplex full
  udld disable
!
interface Ethernet1/3
  description U: Uplink
  no cdp enable
  switchport mode dot1q-tunnel
  switchport trunk native vlan 103
  duplex full
  udld disable
!
interface Ethernet1/4
  description U: Uplink
  no cdp enable
  switchport mode dot1q-tunnel
  switchport trunk native vlan 104
  duplex full
  udld disable
!
interface Ethernet1/5
  description U: Uplink
  no cdp enable
  switchport mode dot1q-tunnel
  switchport trunk native vlan 105
  duplex full
  udld disable
!
interface Ethernet1/6
  description U: Uplink
  no cdp enable
  switchport mode dot1q-tunnel
  switchport trunk native vlan 106
  duplex full
  udld disable
!
interface Ethernet1/7
  description U: Uplink
  no cdp enable
  switchport mode dot1q-tunnel
  switchport trunk native vlan 107
  duplex full
  udld disable
!
interface Ethernet1/8
  description U: Uplink
  no cdp enable
  switchport mode dot1q-tunnel
  switchport trunk native vlan 108
  duplex full
  udld disable
!
interface Ethernet1/9
  switchport vntag max-vifs 118
  switchport mode vntag
  no shutdown
!
interface Ethernet2/1
  description U: Uplink
  no cdp enable
  switchport mode dot1q-tunnel
  switchport trunk native vlan 117
  duplex full
  udld disable
!
interface Ethernet2/2
  description U: Uplink
  no cdp enable
  switchport mode dot1q-tunnel
  switchport trunk native vlan 118
  duplex full
  udld disable
!
interface Ethernet2/3
  description U: Uplink
  no cdp enable
  switchport mode dot1q-tunnel
  switchport trunk native vlan 119
  duplex full
  udld disable
!
interface Ethernet2/4
  description U: Uplink
  no cdp enable
  switchport mode dot1q-tunnel
  switchport trunk native vlan 120
  duplex full
  udld disable
!
interface Ethernet2/5
  description U: Uplink
  no cdp enable
  switchport mode dot1q-tunnel
  switchport trunk native vlan 121
  duplex full
  udld disable
!
interface Ethernet2/6
  description U: Uplink
  no cdp enable
  switchport mode dot1q-tunnel
  switchport trunk native vlan 122
  duplex full
  udld disable
!
interface Ethernet3/1
  description U: Uplink
  no cdp enable
  switchport mode dot1q-tunnel
  switchport trunk native vlan 133
  speed auto
  duplex full
  udld disable
!
interface Ethernet3/2
  description U: Uplink
  no cdp enable
  switchport mode dot1q-tunnel
  switchport trunk native vlan 134
  speed auto
  duplex full
  udld disable
!
interface Ethernet3/3
  description U: Uplink
  no cdp enable
  switchport mode dot1q-tunnel
  switchport trunk native vlan 135
  speed auto
  duplex full
  udld disable
!
interface Ethernet3/4
  description U: Uplink
  no cdp enable
  switchport mode dot1q-tunnel
  switchport trunk native vlan 136
  speed auto
  duplex full
  udld disable
!
interface Ethernet3/5
  description U: Uplink
  no cdp enable
  switchport mode dot1q-tunnel
  switchport trunk native vlan 137
  speed auto
  duplex full
  udld disable
!
interface Ethernet3/6
  description U: Uplink
  no cdp enable
  switchport mode dot1q-tunnel
  switchport trunk native vlan 138
  speed auto
  duplex full
  udld disable
!
interface Ethernet3/7
  description U: Uplink
  no cdp enable
  switchport mode dot1q-tunnel
  switchport trunk native vlan 139
  speed auto
  duplex full
  udld disable
!
interface Ethernet3/8
  description U: Uplink
  no cdp enable
  switchport mode dot1q-tunnel
  switchport trunk native vlan 140
  speed auto
  duplex full
  udld disable
!
interface mgmt0
  shutdown force
  ip address 10.106.6.194/24
line console
line vty
no ip igmp snooping
ldap-server port 0
ldap-server TLS version
aaa group server ldap ldap
network segment manager switch
  dvs name FTD4110
network segment policy default_vlan_template
  description Default template used for VLAN backed pools
  type vlan
  import port-profile NSM_template_vlan
network segment policy default_segmentation_template
  description Default template used for isolation backed pools
  type segmentation
  import port-profile NSM_template_segmentation

FTD4110(fxos)#

Regards;

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎03-12-2019 04:25 AM

Are you trying to reach the Chassis management or the FTD management ip address?

 

For Chassis management, do the following to check if there is an ip-block, I have seen this set to block all ssh/https/snmp on initial setup

 

Firepower-chassis # scope system
Firepower-chassis /system # scope services

Firepower-chassis /system/services # sh ip-block

 

Try adding an entry for your source ip address:

 

scope system
scope services
create ip-block <aaa.bbb.ccc.ddd> <cidr> https
create ip-block <aaa.bbb.ccc.ddd> <cidr> ssh
commit-buffer

 

 

 

View solution in original post

2 Replies 2

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎03-12-2019 04:25 AM

Are you trying to reach the Chassis management or the FTD management ip address?

 

For Chassis management, do the following to check if there is an ip-block, I have seen this set to block all ssh/https/snmp on initial setup

 

Firepower-chassis # scope system
Firepower-chassis /system # scope services

Firepower-chassis /system/services # sh ip-block

 

Try adding an entry for your source ip address:

 

scope system
scope services
create ip-block <aaa.bbb.ccc.ddd> <cidr> https
create ip-block <aaa.bbb.ccc.ddd> <cidr> ssh
commit-buffer

 

 

 

Go to solution
ciscoworlds
Level 4
Level 4
In response to Rahul Govindan

‎03-12-2019 05:02 AM

Assume. It worked and I connected to the Firepower Chassis Manager. It seems device has no FTD or ASA. Is it possible to install FTD on the chassis via Firepower Chassis Manager web page?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card