01-11-2024 01:19 AM
Hello everybody,
our customer has FMC running rel. 7.2.5 and a HA-cluster of two Firepower 1140 running rel. 7.2.5.
The customer gets the following error message in the Health Monitor is:
Cisco Cloud Configuration: Unable to reach Cisco Cloud from the device. Please check the network connection.
(see attached screen dumps)
On the Standby device:
> show ip
System IP Addresses:
Interface Name IP address Subnet mask Method
Ethernet1/1 outside 10.50.250.37 255.255.255.248 CONFIG
Ethernet1/2 inside 10.50.38.254 255.255.255.0 CONFIG
Ethernet1/3 internet a.b.c.d 255.255.255.240 manual
Ethernet1/8 ha-link 100.64.0.1 255.255.255.252 unset
Current IP Addresses:
Interface Name IP address Subnet mask Method
Ethernet1/1 outside 10.50.250.38 255.255.255.248 CONFIG
Ethernet1/2 inside 10.50.38.253 255.255.255.0 CONFIG
Ethernet1/3 internet w.x.y.z 255.255.255.240 manual
Ethernet1/8 ha-link 100.64.0.2 255.255.255.252 unset
I can ping targets in the Internet:
> ping 8.8.8.8
Please use 'CTRL+C' to cancel/abort...
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/10/10 ms
> ping www.google.com
Please use 'CTRL+C' to cancel/abort...
Sending 5, 100-byte ICMP Echos to 142.251.40.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/12/20 ms
Could this be a bug or what should be done to remove this error?
Thanks a lot for every hint!
Bye
R.
Solved! Go to Solution.
01-11-2024 11:28 PM
Hi Rob,
a Happy New Year for you.
I have set the same DNS servers on the standby as on the active FTD and now the 'ping system' get an answer:
> configure network dns servers 208.67.222.222,1.1.1.1
> show network
===============[ System Information ]===============
Hostname : FTD-ROC-02.pfaudler.com
DNS Servers : 208.67.222.222
1.1.1.1
DNS from router : enabled
Management port : 8305
IPv4 Default route
Gateway : 10.50.37.1
Netmask : 0.0.0.0
...
> ping system tools.cisco.com
PING tools.cisco.com (72.163.4.38) 56(84) bytes of data.
64 bytes from tools1.cisco.com (72.163.4.38): icmp_seq=1 ttl=234 time=44.7 ms
64 bytes from tools1.cisco.com (72.163.4.38): icmp_seq=2 ttl=234 time=44.6 ms
64 bytes from tools1.cisco.com (72.163.4.38): icmp_seq=3 ttl=234 time=44.6 ms
64 bytes from tools1.cisco.com (72.163.4.38): icmp_seq=4 ttl=234 time=44.6 ms
^C
--- tools.cisco.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 8ms
rtt min/avg/max/mdev = 44.596/44.628/44.651/0.259 ms
But the initial error message in the FMC persists
Is there any other idea or configuration I could try to get rid about the error message?
Thanks a lot!
Bye
R.
01-11-2024 02:55 AM
Hello once again,
I just found out the following:
> ping system tools.cisco.com
ping: tools.cisco.com: Temporary failure in name resolution
> ping www.google.com
Please use 'CTRL+C' to cancel/abort...
Sending 5, 100-byte ICMP Echos to 142.251.40.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/12/20 ms
Do you know why name resolution for the 'ping system' does not work but for the
normal ping?
Thanks a lot!
Bye
R.
01-11-2024 04:28 AM
@swscco001 "ping system" is from the management interface, "ping" is from the data interface. So is the management interface configured correctly?
01-11-2024 04:53 AM
Hi Rob,
a Happy New Year for you!
The management interface looks idential to the active working cluster node:
Active (woking) node:
> show interface Management 1/1
Interface Management1/1 "diagnostic", is up, line protocol is up
Hardware is en_vtun rev00, BW Unknown Speed-Capability, DLY 1000 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is unsupported
MAC address 6887.c671.6d81, MTU 1500
IP address unassigned
2209585 packets input, 132646566 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops, 0 demux drops
12 packets output, 504 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 1 interface resets
0 late collisions, 0 deferred
7 input reset drops, 0 output reset drops
input queue (blocks free curr/low): hardware (0/0)
output queue (blocks free curr/low): hardware (0/0)
Traffic Statistics for "diagnostic":
2209494 packets input, 101708190 bytes
12 packets output, 336 bytes
364 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Management-only interface. Blocked 0 through-the-device packets
Standby (problematic node)
> show interface Management 1/1
Interface Management1/1 "diagnostic", is up, line protocol is up
Hardware is en_vtun rev00, BW Unknown Speed-Capability, DLY 1000 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is unsupported
MAC address 6887.c619.6981, MTU 1500
IP address unassigned
2206434 packets input, 132439413 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops, 0 demux drops
7 packets output, 294 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (blocks free curr/low): hardware (0/0)
output queue (blocks free curr/low): hardware (0/0)
Traffic Statistics for "diagnostic":
2206293 packets input, 101542791 bytes
7 packets output, 196 bytes
349 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Management-only interface. Blocked 0 through-the-device packets
Because the standby node reported a problem with the name resolution I determined the following:
Active (does work):
===================
> ping system tools.cisco.com
PING tools.cisco.com (72.163.4.38) 56(84) bytes of data.
64 bytes from tools1.cisco.com (72.163.4.38): icmp_seq=1 ttl=234 time=44.7 ms
64 bytes from tools1.cisco.com (72.163.4.38): icmp_seq=2 ttl=234 time=44.6 ms
64 bytes from tools1.cisco.com (72.163.4.38): icmp_seq=3 ttl=234 time=44.6 ms
64 bytes from tools1.cisco.com (72.163.4.38): icmp_seq=4 ttl=234 time=44.6 ms
> show network
===============[ System Information ]===============
Hostname : FTD-ROC-01.pfaudler.com
DNS Servers : 208.67.222.222 <=== (in the DNS server group)
1.1.1.1 <=== (in the DNS server group)
DNS from router : enabled
Management port : 8305
IPv4 Default route
Gateway : 10.50.37.1
Netmask : 0.0.0.0
...
---------------------------------------------------------------------------
Standby (does not work):
========================
> ping system tools.cisco.com
ping: tools.cisco.com: Temporary failure in name resolution
> ping www.google.com
Please use 'CTRL+C' to cancel/abort...
Sending 5, 100-byte ICMP Echos to 142.251.40.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/12/20 ms
> show network
===============[ System Information ]===============
Hostname : FTD-ROC-02.pfaudler.com
DNS Servers : 10.50.32.10 <=== (not in the DNS server group)
DNS from router : enabled
Management port : 8305
IPv4 Default route
Gateway : 10.50.37.1
Netmask : 0.0.0.0
...
Even both nodes use the same DNS server group in the 'Plattform Settings' I see
different DNS servers on the CLIs.
Do you have any explanation?
Thanks a lot!
Bye
R.
01-11-2024 05:01 AM
@swscco001 configure the DNS servers for the management interface from the CLI using the "configure network dns" command.
The Platform Settings DNS servers are for policy rules that use FQDN objects from data interfaces.
01-11-2024 11:28 PM
Hi Rob,
a Happy New Year for you.
I have set the same DNS servers on the standby as on the active FTD and now the 'ping system' get an answer:
> configure network dns servers 208.67.222.222,1.1.1.1
> show network
===============[ System Information ]===============
Hostname : FTD-ROC-02.pfaudler.com
DNS Servers : 208.67.222.222
1.1.1.1
DNS from router : enabled
Management port : 8305
IPv4 Default route
Gateway : 10.50.37.1
Netmask : 0.0.0.0
...
> ping system tools.cisco.com
PING tools.cisco.com (72.163.4.38) 56(84) bytes of data.
64 bytes from tools1.cisco.com (72.163.4.38): icmp_seq=1 ttl=234 time=44.7 ms
64 bytes from tools1.cisco.com (72.163.4.38): icmp_seq=2 ttl=234 time=44.6 ms
64 bytes from tools1.cisco.com (72.163.4.38): icmp_seq=3 ttl=234 time=44.6 ms
64 bytes from tools1.cisco.com (72.163.4.38): icmp_seq=4 ttl=234 time=44.6 ms
^C
--- tools.cisco.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 8ms
rtt min/avg/max/mdev = 44.596/44.628/44.651/0.259 ms
But the initial error message in the FMC persists
Is there any other idea or configuration I could try to get rid about the error message?
Thanks a lot!
Bye
R.
01-11-2024 11:35 PM
Hi Rob,
I was something impatient but now the error message has disapeared from the FMC.
Thanks a lot and have a nice weekend!
Bye
R.
01-11-2024 06:09 AM
https://community.cisco.com/t5/network-security/change-dns-server-ftd-high-availability/m-p/4732602
this same issue I see before
only the master I think can connect to cloud and sync the info to all members
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide