Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6982
Views
0
Helpful
12
Replies

Firepower Management center

Go to solution
nasser2002_2005
Level 1
Level 1

‎07-13-2017 08:43 AM - edited ‎03-12-2019 02:41 AM

Hi everyone,

When i try to add the firepower sensor to FMC it shows this massage (Could not establish a connection with sensor. Make sure the registration keys match, that the software versions are compatible, and that the network is not blocking the connection.)

 the registration keys ok , their is ping between the fmc and sensor and the firepower service is version 6.2.0 and the FMC its also 6.2.0 and i install Hotfix A 6.2.0.1  successfully.

sh version

Cisco Adaptive Security Appliance Software Version 9.8(1)
Firepower Extensible Operating System Version 2.2(1.47)
Device Manager Version 7.8(1)

--------------------------------------------------------------------------------------------------

1# session sfr console
Opening console session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.

> show version
---------------------[ gpgsfr ]---------------------
Model : ASA5525 (72) Version 6.2.0 (Build 362)

Rules update version : 2016-03-28-001-vrt
VDB version : 271
----------------------------------------------------

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to nasser2002_2005

‎07-13-2017 09:34 PM

If there's no ping (icmp), there's likely no tcp as well.

Fix that issue first. The most common cause is mis-configuration of the networking on the module. The second most common is an intervening network firewall that either blocks the communications or NATs one or the other address. 

I mentioned using telnet to check tcp 8305 becasue that is the tcp port that is used between FMC and its managed sensors.

From the bash shell (underlying Linux cli for both FMC and FirePOWER module) you simply start a telnet session and specify the (non-standard for telnet) port 8305. (telnet usually uses tcp/23).

telnet <remote address> 8305

On a FirePOWER module sensor you need to first switch to expert mode to get into the bash shell.

View solution in original post

0 Helpful
12 Replies 12

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-13-2017 09:43 AM

Can you confirm that you can ssh from one to the other (FMC to the module and vice versa)?

Also, if there is a firewall between them at all, verify that tcp/8305 is allowed. That is the required port that must be open bidirectionally. You should be able to initiate a telnet connection from either end and specify port 8305 to verify it.

0 Helpful

Go to solution
nasser2002_2005
Level 1
Level 1
In response to Marvin Rhoads

‎07-13-2017 12:28 PM

Hi marvin,

there is telnet connection from either. what do you mean about last part (specify port 8305 to verify it)

verify that tcp/8305 is allowed (could you please explain more )

again thank you very mach 

.

0 Helpful

Go to solution
nasser2002_2005
Level 1
Level 1
In response to Marvin Rhoads

‎07-13-2017 12:48 PM

i notice that there is no ping petween the fmc and firepower 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to nasser2002_2005

‎07-13-2017 09:34 PM

If there's no ping (icmp), there's likely no tcp as well.

Fix that issue first. The most common cause is mis-configuration of the networking on the module. The second most common is an intervening network firewall that either blocks the communications or NATs one or the other address. 

I mentioned using telnet to check tcp 8305 becasue that is the tcp port that is used between FMC and its managed sensors.

From the bash shell (underlying Linux cli for both FMC and FirePOWER module) you simply start a telnet session and specify the (non-standard for telnet) port 8305. (telnet usually uses tcp/23).

telnet <remote address> 8305

On a FirePOWER module sensor you need to first switch to expert mode to get into the bash shell.

0 Helpful

Go to solution
nasser2002_2005
Level 1
Level 1
In response to Marvin Rhoads

‎07-13-2017 10:10 PM

Thank you Mr. Marvin

it working now the issue was mis-configuration ,

I have question. shell I register the 2 ASA ( primary and secondary ) on the FMC with different firepower ip .

thank you again .

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to nasser2002_2005

‎07-13-2017 10:14 PM

You're welcome.

Yes - each ASA FirePOWER module reuires a unique address and must be individually registered to the managing FMC (and license applied from FMC).

Remember the FirePOWER modules themselves have no knowledge of the ASA HA pair.

We can then logically put them in a device group and, when creating policy, assign both modules to the same policy. That's one of the advantages of using FMC - create one policy and deploy to multiple managed sensors.

0 Helpful

Go to solution
nasser2002_2005
Level 1
Level 1
In response to Marvin Rhoads

‎07-13-2017 10:25 PM

man your helping me a lot

Mr. Marvin

im intern level how I can create policy and assign both modules to the same policy.

could  you please explain to me ?

one more thing I have health massage on FMC  (Interface 'DataPlaneInterface0' is not receiving any packets) (by the way I did not assign outside ip)

thank you again .

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to nasser2002_2005

‎07-13-2017 10:51 PM

You're welcome.

The configuration guide covers setting target devices for an Access Contorl Policy here:

http://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/getting_started_with_access_control_policies.html#ID-2176-000002e6

Dataplane0 is the internal connection between the ASA data path and the FirePOWER module. The dataplane error is most often seen in two conditions:

1. There is no service policy in the ASA redirecting traffic to the FirePOWER module. Make sure you have created and applied one per the following guide:

http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/sfr/firepower-qsg.html#pgfId-150498

2. The secondary ASA in an HA pair is not normally processing any traffic and thus gives us that condition. (The same thing would apply if the whole ASA pair was in a lab or otherwise not processing any traffic through the box.)

0 Helpful

Go to solution
John Roshek
Level 1
Level 1
In response to Marvin Rhoads

‎03-12-2018 08:46 AM

I believe that because Firepower is not HA aware and you have an HA configuration and monitoring Interface dataplane0 you are receiving this error. Do not monitor interface dataplane0 in an HA configuration, the error will disappear.
0 Helpful

Go to solution
Tess238
Level 1
Level 1
In response to Marvin Rhoads

‎10-27-2022 08:29 AM

is the ssh connection mandatory for FMC to make connection with the sensor?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Tess238

‎10-27-2022 11:32 AM

@Tess238 no ssh is needed. We sometimes use it for testing when the required communications are in doubt.

What's required is tcp/8305, initiated from either end. FMC-FTD and vice versa use that port for sftunnel which is used for both management and eventing. At the higher layer it is using TLS 1.2.

0 Helpful

Go to solution
Chuck Reimer
Level 1
Level 1

‎10-28-2022 09:48 AM

I've seen issues like this and syncing the time either manually or NTP fixed the issue. Not sure if this would apply in your case

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card