Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1548
Views
5
Helpful
7
Replies

Firepower cluster: one node is unable to reach Cisco Cloud

Go to solution
swscco001
Level 3
Level 3

‎01-11-2024 01:19 AM

Hello everybody,

our customer has FMC running rel. 7.2.5 and a HA-cluster of two Firepower 1140 running rel. 7.2.5.

The customer gets the following error message in the Health Monitor is:

Cisco Cloud Configuration: Unable to reach Cisco Cloud from the device. Please check the network connection.
(see attached screen dumps)

On the Standby device:

> show ip
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
Ethernet1/1              outside                10.50.250.37    255.255.255.248 CONFIG
Ethernet1/2              inside                 10.50.38.254    255.255.255.0   CONFIG
Ethernet1/3              internet               a.b.c.d         255.255.255.240 manual
Ethernet1/8              ha-link                100.64.0.1      255.255.255.252 unset
Current IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
Ethernet1/1              outside                10.50.250.38    255.255.255.248 CONFIG
Ethernet1/2              inside                 10.50.38.253    255.255.255.0   CONFIG
Ethernet1/3              internet               w.x.y.z         255.255.255.240 manual
Ethernet1/8              ha-link                100.64.0.2      255.255.255.252 unset

I can ping targets in the Internet:

> ping 8.8.8.8
Please use 'CTRL+C' to cancel/abort...
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/10/10 ms

> ping www.google.com
Please use 'CTRL+C' to cancel/abort...
Sending 5, 100-byte ICMP Echos to 142.251.40.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/12/20 ms

Could this be a bug or what should be done to remove this error?

Thanks a lot for every hint!


Bye
R.



Preview file
88 KB
Preview file
130 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
swscco001
Level 3
Level 3
In response to Rob Ingram

‎01-11-2024 11:28 PM

Hi Rob,

a Happy New Year for you.

I have set the same DNS servers on the standby as on the active FTD and now the 'ping system' get an answer:

> configure network dns servers 208.67.222.222,1.1.1.1

> show network
===============[ System Information ]===============
Hostname                  : FTD-ROC-02.pfaudler.com
DNS Servers               : 208.67.222.222
                            1.1.1.1
DNS from router           : enabled
Management port           : 8305
IPv4 Default route
  Gateway                 : 10.50.37.1
  Netmask                 : 0.0.0.0

...

> ping system tools.cisco.com
PING tools.cisco.com (72.163.4.38) 56(84) bytes of data.
64 bytes from tools1.cisco.com (72.163.4.38): icmp_seq=1 ttl=234 time=44.7 ms
64 bytes from tools1.cisco.com (72.163.4.38): icmp_seq=2 ttl=234 time=44.6 ms
64 bytes from tools1.cisco.com (72.163.4.38): icmp_seq=3 ttl=234 time=44.6 ms
64 bytes from tools1.cisco.com (72.163.4.38): icmp_seq=4 ttl=234 time=44.6 ms
^C
--- tools.cisco.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 8ms
rtt min/avg/max/mdev = 44.596/44.628/44.651/0.259 ms

But the initial error message in the FMC persists

Is there any other idea or configuration I could try to get rid about the error message?

Thanks a lot!



Bye
R.

View solution in original post

7 Replies 7

Go to solution
swscco001
Level 3
Level 3

‎01-11-2024 02:55 AM

Hello once again,

I just found out the following:

> ping system tools.cisco.com
ping: tools.cisco.com: Temporary failure in name resolution

> ping www.google.com
Please use 'CTRL+C' to cancel/abort...
Sending 5, 100-byte ICMP Echos to 142.251.40.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/12/20 ms

Do you know why name resolution for the 'ping system' does not work but for the
normal ping?

Thanks a lot!



Bye
R.



Go to solution
Rob Ingram
VIP
VIP
In response to swscco001

‎01-11-2024 04:28 AM

@swscco001 "ping system" is from the management interface, "ping" is from the data interface. So is the management interface configured correctly?

Go to solution
swscco001
Level 3
Level 3
In response to Rob Ingram

‎01-11-2024 04:53 AM

Hi Rob,

a Happy New Year for you!

The management interface looks idential to the active working cluster node:

 

Active (woking) node:

> show interface Management 1/1
Interface Management1/1 "diagnostic", is up, line protocol is up
  Hardware is en_vtun rev00, BW Unknown Speed-Capability, DLY 1000 usec
        Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
        Input flow control is unsupported, output flow control is unsupported
        MAC address 6887.c671.6d81, MTU 1500
        IP address unassigned
        2209585 packets input, 132646566 bytes, 0 no buffer
        Received 0 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 pause input, 0 resume input
        0 L2 decode drops, 0 demux drops
        12 packets output, 504 bytes, 0 underruns
        0 pause output, 0 resume output
        0 output errors, 0 collisions, 1 interface resets
        0 late collisions, 0 deferred
        7 input reset drops, 0 output reset drops
        input queue (blocks free curr/low): hardware (0/0)
        output queue (blocks free curr/low): hardware (0/0)
  Traffic Statistics for "diagnostic":
        2209494 packets input, 101708190 bytes
        12 packets output, 336 bytes
        364 packets dropped
      1 minute input rate 0 pkts/sec,  0 bytes/sec
      1 minute output rate 0 pkts/sec,  0 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec,  0 bytes/sec
      5 minute output rate 0 pkts/sec,  0 bytes/sec
      5 minute drop rate, 0 pkts/sec
        Management-only interface. Blocked 0 through-the-device packets

Standby (problematic node)
> show interface Management 1/1
Interface Management1/1 "diagnostic", is up, line protocol is up
  Hardware is en_vtun rev00, BW Unknown Speed-Capability, DLY 1000 usec
        Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
        Input flow control is unsupported, output flow control is unsupported
        MAC address 6887.c619.6981, MTU 1500
        IP address unassigned
        2206434 packets input, 132439413 bytes, 0 no buffer
        Received 0 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 pause input, 0 resume input
        0 L2 decode drops, 0 demux drops
        7 packets output, 294 bytes, 0 underruns
        0 pause output, 0 resume output
        0 output errors, 0 collisions, 0 interface resets
        0 late collisions, 0 deferred
        0 input reset drops, 0 output reset drops
        input queue (blocks free curr/low): hardware (0/0)
        output queue (blocks free curr/low): hardware (0/0)
  Traffic Statistics for "diagnostic":
        2206293 packets input, 101542791 bytes
        7 packets output, 196 bytes
        349 packets dropped
      1 minute input rate 0 pkts/sec,  0 bytes/sec
      1 minute output rate 0 pkts/sec,  0 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec,  0 bytes/sec
      5 minute output rate 0 pkts/sec,  0 bytes/sec
      5 minute drop rate, 0 pkts/sec
        Management-only interface. Blocked 0 through-the-device packets

Because the standby node reported a problem with the name resolution I determined the following:

Active (does work):
===================
> ping system tools.cisco.com
PING tools.cisco.com (72.163.4.38) 56(84) bytes of data.
64 bytes from tools1.cisco.com (72.163.4.38): icmp_seq=1 ttl=234 time=44.7 ms
64 bytes from tools1.cisco.com (72.163.4.38): icmp_seq=2 ttl=234 time=44.6 ms
64 bytes from tools1.cisco.com (72.163.4.38): icmp_seq=3 ttl=234 time=44.6 ms
64 bytes from tools1.cisco.com (72.163.4.38): icmp_seq=4 ttl=234 time=44.6 ms

> show network
===============[ System Information ]===============
Hostname                  : FTD-ROC-01.pfaudler.com
DNS Servers               : 208.67.222.222		<=== (in the DNS server group)
                            1.1.1.1			<=== (in the DNS server group)
DNS from router           : enabled
Management port           : 8305
IPv4 Default route
  Gateway                 : 10.50.37.1
  Netmask                 : 0.0.0.0
...

---------------------------------------------------------------------------

Standby (does not work):
========================
> ping system tools.cisco.com
ping: tools.cisco.com: Temporary failure in name resolution

> ping www.google.com
Please use 'CTRL+C' to cancel/abort...
Sending 5, 100-byte ICMP Echos to 142.251.40.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/12/20 ms

> show network
===============[ System Information ]===============
Hostname                  : FTD-ROC-02.pfaudler.com
DNS Servers               : 10.50.32.10      		<=== (not in the DNS server group)
DNS from router           : enabled
Management port           : 8305
IPv4 Default route
  Gateway                 : 10.50.37.1
  Netmask                 : 0.0.0.0
...

Even both nodes use the same DNS server group in the 'Plattform Settings' I see
different DNS servers on the CLIs.

Do you have any explanation?

Thanks a lot!



Bye
R.






 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to swscco001

‎01-11-2024 05:01 AM

@swscco001 configure the DNS servers for the management interface from the CLI using the "configure network dns" command. 

The Platform Settings DNS servers are for policy rules that use FQDN objects from data interfaces.

Go to solution
swscco001
Level 3
Level 3
In response to Rob Ingram

‎01-11-2024 11:28 PM

Hi Rob,

a Happy New Year for you.

I have set the same DNS servers on the standby as on the active FTD and now the 'ping system' get an answer:

> configure network dns servers 208.67.222.222,1.1.1.1

> show network
===============[ System Information ]===============
Hostname                  : FTD-ROC-02.pfaudler.com
DNS Servers               : 208.67.222.222
                            1.1.1.1
DNS from router           : enabled
Management port           : 8305
IPv4 Default route
  Gateway                 : 10.50.37.1
  Netmask                 : 0.0.0.0

...

> ping system tools.cisco.com
PING tools.cisco.com (72.163.4.38) 56(84) bytes of data.
64 bytes from tools1.cisco.com (72.163.4.38): icmp_seq=1 ttl=234 time=44.7 ms
64 bytes from tools1.cisco.com (72.163.4.38): icmp_seq=2 ttl=234 time=44.6 ms
64 bytes from tools1.cisco.com (72.163.4.38): icmp_seq=3 ttl=234 time=44.6 ms
64 bytes from tools1.cisco.com (72.163.4.38): icmp_seq=4 ttl=234 time=44.6 ms
^C
--- tools.cisco.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 8ms
rtt min/avg/max/mdev = 44.596/44.628/44.651/0.259 ms

But the initial error message in the FMC persists

Is there any other idea or configuration I could try to get rid about the error message?

Thanks a lot!



Bye
R.

Go to solution
swscco001
Level 3
Level 3
In response to swscco001

‎01-11-2024 11:35 PM

Hi Rob,

I was something impatient but now the error message has disapeared from the FMC.

Thanks a lot and have a nice weekend!



Bye
R.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to swscco001

‎01-11-2024 06:09 AM

https://community.cisco.com/t5/network-security/change-dns-server-ftd-high-availability/m-p/4732602

this same issue I see before
only the master I think can connect to cloud and sync the info to all members 
MHM

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card