06-20-2018 02:30 PM - edited 02-21-2020 07:54 AM
Dears,
Please find the attached,
In the communication ports list what is the host input client refers as a bidirectional traffic to FMC, actually what is host input client ??? and what does bidirectional means ??? what I understand by bidirectional is traffic initiated by host to the FMC on port 8307 and the return traffic should come back from FMC Please correct me if I m wrong ????
OR IT MEANS
Bidirectional means that both the host input client and FMC can initiate a traffic on destination port 8307.
Also I would like to know the inbound is referred as destined traffic to FMC and outbound is referred as destined traffic to the remote host ( ldap, radius server etc etc ), Please correct me if I m wrong.
Also please find the attached error when I deploy the configuration to the Firepower.
Thanks
Solved! Go to Solution.
06-23-2018 01:00 AM
Hi
Its possible that 1 of the SFR does not have correct interface zone mapping. Please be aware that FMC treats both sfr as individual device. So the interface zone mapping has to be done manually on both.
Once that's done, than you should not get error.
Not sure about identity policy question.
Thanks
Yogesh
06-20-2018 06:07 PM
Hi
The communication between FMC and its managed sensor is on TCP port 8305 and not on 8307.
Its should be open bidirectional which means sensor/FTD can initiate connection on 8305 to FMC and vice versa.
8307 is not needed for policy deployment. You can get more details from this link about host input client.
The other alert/warning means that you have included in your rules zones which match interfaces to different device other than the one on which you are deploying so that specific rule will not match because the interface does not exist on that device.
You can still proceed with deployment though.
Rate it helps,
Yogesh
06-22-2018 09:06 AM - edited 06-22-2018 11:04 AM
Dear Yogdhanu,
The other alert/warning means that you have included in your rules zones which match interfaces to different device other than the one on which you are deploying so that specific rule will not match because the interface does not exist on that device.
so what I understand is the secondary SFR device which is shown in the screenshot have those interfaces and the primary sfr doesn't have, this is what the deployment error is mentioning ???
My firewall 5525-X is in failover mode and working perfect for failover, so this means that all the interfaces are sync and also the sensor are in device group, so whenever the deployment happens it applies to both, but still I get the error why???
Is it some think that identity policy is not created properly ?? Please find the attached identity policy
Thanks
Thanks
06-23-2018 01:00 AM
Hi
Its possible that 1 of the SFR does not have correct interface zone mapping. Please be aware that FMC treats both sfr as individual device. So the interface zone mapping has to be done manually on both.
Once that's done, than you should not get error.
Not sure about identity policy question.
Thanks
Yogesh
06-24-2018 01:46 PM
thanks for the hints and suggestions
09-24-2018 08:42 PM - edited 09-24-2018 08:47 PM
Hi Just wanted to trigger this thread with a doubt.Using here an ASA w/ FP services
We are unable to deploy policy on the sensor getting error message -
Deployment failed due to configuration error. If problem persists after retrying contact Cisco TAC.
I am getting this is due to devices being in disabled state under device management, if yes how to enable them.
Also have an alarm under health for missing appliance heartbeats.
Do provide your insights. Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide