cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

575
Views
5
Helpful
6
Replies
Highlighted
Beginner

FP Diagnostic interface setting up

Trying to enable diagnostic interface on FP 2100 for gathering information over SNMP. The interface itself marked green in FMC and static IP address is set up but neither ICMP or SNMP to this interface are not responding. 

Management interface itself is working fine and located in the same network as diagnostic. 

 

> show interface ip brief
Management1/1 10.1.1.146 YES manual up up

# show running-config interface Management1/1
interface Management1/1
management-only
nameif diagnostic
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 10.1.1.146 255.255.255.0

 

The related guide I found is https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/212420-configure-firepower-threat-defense-ftd.html but it is not so clear.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Hall of Fame Guru

Re: FP Diagnostic interface setting up

Sorry for the delay, I wanted to lab this up to confirm.

Make sure your device platform settings are setup to allow SNMP from the desired host(s) and that you've assigned the policy to your target device(s):

FTD SNMP Platform settings.PNG

NOTE: I found that you should only use a single interface. Specifying multiples resulted in only the first one getting pushed in to the running-config. This was with Firepower 6.5.0.2.

Setup a static route for the diagnostic interface. It should appear in the running-config as a "management-only" route:

FTD Mgmt and Diagnostic route.PNG

 

Once you have done that, your should be able to get SNMP data from a remote subnet.

Here it is shown via cli:

root@fmc:/usr/share/snmp/mibs# snmpwalk -v 2c -c ccielab 172.31.4.4 1.3.6.1.4.1.9.9   
SNMPv2-SMI::enterprises.9.9.41.1.1.1.0 = Counter32: 0
SNMPv2-SMI::enterprises.9.9.41.1.1.2.0 = INTEGER: 0
SNMPv2-SMI::enterprises.9.9.41.1.1.3.0 = INTEGER: 0
SNMPv2-SMI::enterprises.9.9.41.1.1.4.0 = Counter32: 0
SNMPv2-SMI::enterprises.9.9.41.1.1.5.0 = Counter32: 0
SNMPv2-SMI::enterprises.9.9.41.1.1.6.0 = INTEGER: 3
SNMPv2-SMI::enterprises.9.9.41.1.1.7.0 = STRING: "vftd-new.ccielab.mrneteng.com"

 ...and via a GUI tool from the other authorized host:

FTD SNMP Interface scan.PNG

View solution in original post

6 REPLIES 6
Highlighted
Hall of Fame Guru

Re: FP Diagnostic interface setting up

When you assigned the Diagnostic interface an address in FMC did you also name it MANAGEMENT?

Are you trying to reach the interface from someplace other than the local subnet it's in? If so you need to setup a route to tell the management interface what gateway to use. Verify it once set with "show route management-only" from the LINA cli.

 

Highlighted
Beginner

Re: FP Diagnostic interface setting up

Hello Marvin,

Thanks for the reply.

 

I renamed it to Management, no changes, does name matter?

fp diag.png

Yes, I'm trying to reach from different network but I can't even ping this IP from lina cli itself. Also please kindly tell where should I write a route for diagnostic interface. I can reach management interface which in the same network as diagnostic.

 

Highlighted
Hall of Fame Guru

Re: FP Diagnostic interface setting up

Sorry for the delay, I wanted to lab this up to confirm.

Make sure your device platform settings are setup to allow SNMP from the desired host(s) and that you've assigned the policy to your target device(s):

FTD SNMP Platform settings.PNG

NOTE: I found that you should only use a single interface. Specifying multiples resulted in only the first one getting pushed in to the running-config. This was with Firepower 6.5.0.2.

Setup a static route for the diagnostic interface. It should appear in the running-config as a "management-only" route:

FTD Mgmt and Diagnostic route.PNG

 

Once you have done that, your should be able to get SNMP data from a remote subnet.

Here it is shown via cli:

root@fmc:/usr/share/snmp/mibs# snmpwalk -v 2c -c ccielab 172.31.4.4 1.3.6.1.4.1.9.9   
SNMPv2-SMI::enterprises.9.9.41.1.1.1.0 = Counter32: 0
SNMPv2-SMI::enterprises.9.9.41.1.1.2.0 = INTEGER: 0
SNMPv2-SMI::enterprises.9.9.41.1.1.3.0 = INTEGER: 0
SNMPv2-SMI::enterprises.9.9.41.1.1.4.0 = Counter32: 0
SNMPv2-SMI::enterprises.9.9.41.1.1.5.0 = Counter32: 0
SNMPv2-SMI::enterprises.9.9.41.1.1.6.0 = INTEGER: 3
SNMPv2-SMI::enterprises.9.9.41.1.1.7.0 = STRING: "vftd-new.ccielab.mrneteng.com"

 ...and via a GUI tool from the other authorized host:

FTD SNMP Interface scan.PNG

View solution in original post

Highlighted
Beginner

Re: FP Diagnostic interface setting up

Finally got things working. First thing indeed was to create static route and the second is to add SNMP host via diagnostic interface in Platform Settings.

Resolved yesterday with TAC helping but thank you Marvin as well, appreciate it.

Highlighted
Beginner

Re: FP Diagnostic interface setting up

Hi, How do you get the diagnostic interface and management interface on the same network or subnet? I keep getting errors for overlapping network.
Highlighted
Hall of Fame Guru

Re: FP Diagnostic interface setting up

The overlapping bit is usually seen when you are using the same subnet for management and inside (or other data interface) (which is OK on Firepower) and then adding an IP to the diagnostic (which it won't accept in that case).

By definition management and diagnostic will always be on the same subnet since they are using the same physical interface and not trunking.