Solved: Firepower Thread Defense 1150 DNS servers over management (diagnostic)

mario.jost · ‎12-08-2020

We configured our HA FTD 1150 pair with FMC and enabled it to use DNS servers under plattform settings:

In the Cisco documentation it says following:
For example, the ping hostname and ping interface interface_name hostname commands uses the data interface DNS servers to resolve the name, whereas the ping system hostname command uses the management interface DNS servers. This makes it possible for you to test connectivity through specific interfaces and through the routing table.

So we can ping our DNS server thur both interfaces. Data and management:

> ping 172.16.123.50
Please use 'CTRL+C' to cancel/abort...
Sending 5, 100-byte ICMP Echos to 172.16.123.50, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
> ping system 172.16.123.50
PING 172.16.222.50 (172.16.123.50) 56(84) bytes of data.
64 bytes from 172.16.123.50: icmp_seq=1 ttl=127 time=0.135 ms
64 bytes from 172.16.123.50: icmp_seq=2 ttl=127 time=0.149 ms
64 bytes from 172.16.123.50: icmp_seq=3 ttl=127 time=0.115 ms
^C
--- 172.16.123.50 ping statistics ---
10 packets transmitted, 10 received, 0% packet loss, time 9003ms
rtt min/avg/max/mdev = 0.109/0.137/0.149/0.013 ms

But when we want to do a dns querry, it does not work over the management:

> ping proxy
Please use 'CTRL+C' to cancel/abort...
Sending 5, 100-byte ICMP Echos to 172.16.123.91, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
> ping system proxy
ping: unknown host proxy
> ping system proxy.company.local
ping: unknown host proxy.company.local

What am I missing here? If i check the configuration, everything looks good:

dns domain-lookup INT_LAN
dns domain-lookup diagnostic
DNS server-group DefaultDNS
DNS server-group GRP_DomainControllers
    retries 1
    timeout 1
    name-server 172.16.123.50 
    name-server 172.16.123.52 
    domain-name merbag.local
dns-group GRP_DomainControllers

We have configured a seperate default gateway for the management Interface (in the WebGUI before we added the FTD to the FMC). I dont know how i can access this configuration from within FMC. Is there a command that shows me the routing table of the management (diagnostic) interface?

There are som strange DNS Servers configured for the management. how do i adjust these?

> show dns system
nameserver 208.67.222.222
nameserver 208.67.220.220
options timeout:2

Thanks for any help on this topic.

Marvin Rhoads · ‎12-08-2020

The DNS servers you show as configured for your management interface are the default Cisco Umbrella (OpenDNS) server addresses.

You can see the full setup and, if you wish, change the management network DNS server as shown below:

> show network
===============[ System Information ]===============
Hostname                  : vftd-new.ccielab.mrneteng.com
Domains                   : ccielab.mrneteng.com
DNS Servers               : 172.31.1.8
Management port           : 8305
IPv4 Default route
  Gateway                 : 172.31.1.1
  Netmask                 : 0.0.0.0


======================[ br1 ]=======================
State                     : Enabled
Link                      : Up
Channels                  : Management & Events
Mode                      : Non-Autonegotiation 
MDI/MDIX                  : Auto/MDIX 
MTU                       : 1500
MAC Address               : 00:0C:29:24:8E:3F
----------------------[ IPv4 ]----------------------
Configuration             : Manual
Address                   : 172.31.1.24
Netmask                   : 255.255.255.0
Gateway                   : 172.31.1.1
----------------------[ IPv6 ]----------------------
Configuration             : Disabled

===============[ Proxy Information ]================
State                     : Disabled
Authentication            : Disabled

> configure network 
  dns                        Configure DNS servers
  hostname                   Set the hostname
  http-proxy                 Configure HTTP Proxy settings
  http-proxy-disable         Disable HTTP Proxy settings
  ipv4                       Configure IPv4 networking
  ipv6                       Configure IPv6 networking
  management-data-interface  Wizard for Management Data interface setup
  management-interface       Change to Management Port Configuration Mode
  management-port            Change TCP port for management
  mtu                        Configure Management and Eventing Interface MTU
  static-routes              Change to Static Route Configuration Mode

> configure network dns 
  searchdomains  Configure DNS search domains
  servers        Configure DNS servers
  Arguments      Comma-separated list of DNS servers
  <cr>           

> configure network dns

View solution in original post

Marvin Rhoads · ‎12-08-2020

The DNS servers you show as configured for your management interface are the default Cisco Umbrella (OpenDNS) server addresses.

You can see the full setup and, if you wish, change the management network DNS server as shown below:

> show network
===============[ System Information ]===============
Hostname                  : vftd-new.ccielab.mrneteng.com
Domains                   : ccielab.mrneteng.com
DNS Servers               : 172.31.1.8
Management port           : 8305
IPv4 Default route
  Gateway                 : 172.31.1.1
  Netmask                 : 0.0.0.0


======================[ br1 ]=======================
State                     : Enabled
Link                      : Up
Channels                  : Management & Events
Mode                      : Non-Autonegotiation 
MDI/MDIX                  : Auto/MDIX 
MTU                       : 1500
MAC Address               : 00:0C:29:24:8E:3F
----------------------[ IPv4 ]----------------------
Configuration             : Manual
Address                   : 172.31.1.24
Netmask                   : 255.255.255.0
Gateway                   : 172.31.1.1
----------------------[ IPv6 ]----------------------
Configuration             : Disabled

===============[ Proxy Information ]================
State                     : Disabled
Authentication            : Disabled

> configure network 
  dns                        Configure DNS servers
  hostname                   Set the hostname
  http-proxy                 Configure HTTP Proxy settings
  http-proxy-disable         Disable HTTP Proxy settings
  ipv4                       Configure IPv4 networking
  ipv6                       Configure IPv6 networking
  management-data-interface  Wizard for Management Data interface setup
  management-interface       Change to Management Port Configuration Mode
  management-port            Change TCP port for management
  mtu                        Configure Management and Eventing Interface MTU
  static-routes              Change to Static Route Configuration Mode

> configure network dns 
  searchdomains  Configure DNS search domains
  servers        Configure DNS servers
  Arguments      Comma-separated list of DNS servers
  <cr>           

> configure network dns

mario.jost · ‎12-08-2020

OK, that was exactly what i was looking for. Thank you. Now the question arises: Can i just configure this on the CLI, even though these boxes are in a HA mode and managed via FMC? Do i need to do some sort of synchronisation after changing configuration via CLI?

Marvin Rhoads · ‎12-08-2020

The cli "configure" commands for the network settings on a Firepower appliance are unique per device whether it is standalone, in an HA pair or in a cluster.

The only time you would need to worry about synchronization would be if you are changing the appliance's management address and then the issue is with the managing FMC.