cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

3398
Views
0
Helpful
9
Replies
nasser2002_2005
Beginner

Firepower Management center

Hi everyone,

When i try to add the firepower sensor to FMC it shows this massage (Could not establish a connection with sensor. Make sure the registration keys match, that the software versions are compatible, and that the network is not blocking the connection.)

 the registration keys ok , their is ping between the fmc and sensor and the firepower service is version 6.2.0 and the FMC its also 6.2.0 and i install Hotfix A 6.2.0.1  successfully.

sh version

Cisco Adaptive Security Appliance Software Version 9.8(1)
Firepower Extensible Operating System Version 2.2(1.47)
Device Manager Version 7.8(1)

--------------------------------------------------------------------------------------------------

1# session sfr console
Opening console session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.

> show version
---------------------[ gpgsfr ]---------------------
Model : ASA5525 (72) Version 6.2.0 (Build 362)

Rules update version : 2016-03-28-001-vrt
VDB version : 271
----------------------------------------------------

1 ACCEPTED SOLUTION

Accepted Solutions

If there's no ping (icmp), there's likely no tcp as well.

Fix that issue first. The most common cause is mis-configuration of the networking on the module. The second most common is an intervening network firewall that either blocks the communications or NATs one or the other address. 

I mentioned using telnet to check tcp 8305 becasue that is the tcp port that is used between FMC and its managed sensors.

From the bash shell (underlying Linux cli for both FMC and FirePOWER module) you simply start a telnet session and specify the (non-standard for telnet) port 8305. (telnet usually uses tcp/23).

telnet <remote address> 8305

On a FirePOWER module sensor you need to first switch to expert mode to get into the bash shell.

View solution in original post

9 REPLIES 9
Marvin Rhoads
Hall of Fame Guru

Can you confirm that you can ssh from one to the other (FMC to the module and vice versa)?

Also, if there is a firewall between them at all, verify that tcp/8305 is allowed. That is the required port that must be open bidirectionally. You should be able to initiate a telnet connection from either end and specify port 8305 to verify it.

Hi marvin,

there is telnet connection from either. what do you mean about last part (specify port 8305 to verify it)

verify that tcp/8305 is allowed (could you please explain more )

again thank you very mach 

.

i notice that there is no ping petween the fmc and firepower 

If there's no ping (icmp), there's likely no tcp as well.

Fix that issue first. The most common cause is mis-configuration of the networking on the module. The second most common is an intervening network firewall that either blocks the communications or NATs one or the other address. 

I mentioned using telnet to check tcp 8305 becasue that is the tcp port that is used between FMC and its managed sensors.

From the bash shell (underlying Linux cli for both FMC and FirePOWER module) you simply start a telnet session and specify the (non-standard for telnet) port 8305. (telnet usually uses tcp/23).

telnet <remote address> 8305

On a FirePOWER module sensor you need to first switch to expert mode to get into the bash shell.

View solution in original post

Thank you Mr. Marvin

it working now the issue was mis-configuration ,

I have question. shell I register the 2 ASA ( primary and secondary ) on the FMC with different firepower ip .

thank you again .

You're welcome.

Yes - each ASA FirePOWER module reuires a unique address and must be individually registered to the managing FMC (and license applied from FMC).

Remember the FirePOWER modules themselves have no knowledge of the ASA HA pair.

We can then logically put them in a device group and, when creating policy, assign both modules to the same policy. That's one of the advantages of using FMC - create one policy and deploy to multiple managed sensors.

man your helping me a lot

Mr. Marvin

im intern level how I can create policy and assign both modules to the same policy.

could  you please explain to me ?

one more thing I have health massage on FMC  (Interface 'DataPlaneInterface0' is not receiving any packets) (by the way I did not assign outside ip)

thank you again .

You're welcome.

The configuration guide covers setting target devices for an Access Contorl Policy here:

http://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/getting_started_with_access_control_policies.html#ID-2176-000002e6

Dataplane0 is the internal connection between the ASA data path and the FirePOWER module. The dataplane error is most often seen in two conditions:

1. There is no service policy in the ASA redirecting traffic to the FirePOWER module. Make sure you have created and applied one per the following guide:

http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/sfr/firepower-qsg.html#pgfId-150498

2. The secondary ASA in an HA pair is not normally processing any traffic and thus gives us that condition. (The same thing would apply if the whole ASA pair was in a lab or otherwise not processing any traffic through the box.)

I believe that because Firepower is not HA aware and you have an HA configuration and monitoring Interface dataplane0 you are receiving this error. Do not monitor interface dataplane0 in an HA configuration, the error will disappear.
Content for Community-Ad