Solved: FP Diagnostic interface setting up

voipleo · ‎02-12-2020

Trying to enable diagnostic interface on FP 2100 for gathering information over SNMP. The interface itself marked green in FMC and static IP address is set up but neither ICMP or SNMP to this interface are not responding.

Management interface itself is working fine and located in the same network as diagnostic.

> show interface ip brief
Management1/1 10.1.1.146 YES manual up up

# show running-config interface Management1/1
interface Management1/1
management-only
nameif diagnostic
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 10.1.1.146 255.255.255.0

The related guide I found is https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/212420-configure-firepower-threat-defense-ftd.html but it is not so clear.

Marvin Rhoads · ‎02-20-2020

Sorry for the delay, I wanted to lab this up to confirm.

Make sure your device platform settings are setup to allow SNMP from the desired host(s) and that you've assigned the policy to your target device(s):

NOTE: I found that you should only use a single interface. Specifying multiples resulted in only the first one getting pushed in to the running-config. This was with Firepower 6.5.0.2.

Setup a static route for the diagnostic interface. It should appear in the running-config as a "management-only" route:

Once you have done that, your should be able to get SNMP data from a remote subnet.

Here it is shown via cli:

root@fmc:/usr/share/snmp/mibs# snmpwalk -v 2c -c ccielab 172.31.4.4 1.3.6.1.4.1.9.9   
SNMPv2-SMI::enterprises.9.9.41.1.1.1.0 = Counter32: 0
SNMPv2-SMI::enterprises.9.9.41.1.1.2.0 = INTEGER: 0
SNMPv2-SMI::enterprises.9.9.41.1.1.3.0 = INTEGER: 0
SNMPv2-SMI::enterprises.9.9.41.1.1.4.0 = Counter32: 0
SNMPv2-SMI::enterprises.9.9.41.1.1.5.0 = Counter32: 0
SNMPv2-SMI::enterprises.9.9.41.1.1.6.0 = INTEGER: 3
SNMPv2-SMI::enterprises.9.9.41.1.1.7.0 = STRING: "vftd-new.ccielab.mrneteng.com"

...and via a GUI tool from the other authorized host:

View solution in original post

Marvin Rhoads · ‎02-12-2020

When you assigned the Diagnostic interface an address in FMC did you also name it MANAGEMENT?

Are you trying to reach the interface from someplace other than the local subnet it's in? If so you need to setup a route to tell the management interface what gateway to use. Verify it once set with "show route management-only" from the LINA cli.

voipleo · ‎02-12-2020

Hello Marvin,

Thanks for the reply.

I renamed it to Management, no changes, does name matter?

Yes, I'm trying to reach from different network but I can't even ping this IP from lina cli itself. Also please kindly tell where should I write a route for diagnostic interface. I can reach management interface which in the same network as diagnostic.

Marvin Rhoads · ‎02-20-2020

Sorry for the delay, I wanted to lab this up to confirm.

Make sure your device platform settings are setup to allow SNMP from the desired host(s) and that you've assigned the policy to your target device(s):

NOTE: I found that you should only use a single interface. Specifying multiples resulted in only the first one getting pushed in to the running-config. This was with Firepower 6.5.0.2.

Setup a static route for the diagnostic interface. It should appear in the running-config as a "management-only" route:

Once you have done that, your should be able to get SNMP data from a remote subnet.

Here it is shown via cli:

root@fmc:/usr/share/snmp/mibs# snmpwalk -v 2c -c ccielab 172.31.4.4 1.3.6.1.4.1.9.9   
SNMPv2-SMI::enterprises.9.9.41.1.1.1.0 = Counter32: 0
SNMPv2-SMI::enterprises.9.9.41.1.1.2.0 = INTEGER: 0
SNMPv2-SMI::enterprises.9.9.41.1.1.3.0 = INTEGER: 0
SNMPv2-SMI::enterprises.9.9.41.1.1.4.0 = Counter32: 0
SNMPv2-SMI::enterprises.9.9.41.1.1.5.0 = Counter32: 0
SNMPv2-SMI::enterprises.9.9.41.1.1.6.0 = INTEGER: 3
SNMPv2-SMI::enterprises.9.9.41.1.1.7.0 = STRING: "vftd-new.ccielab.mrneteng.com"

...and via a GUI tool from the other authorized host:

voipleo · ‎02-21-2020

Finally got things working. First thing indeed was to create static route and the second is to add SNMP host via diagnostic interface in Platform Settings.

Resolved yesterday with TAC helping but thank you Marvin as well, appreciate it.

ernesto_tello · ‎04-03-2020

Hi, How do you get the diagnostic interface and management interface on the same network or subnet? I keep getting errors for overlapping network.

Marvin Rhoads · ‎04-03-2020

The overlapping bit is usually seen when you are using the same subnet for management and inside (or other data interface) (which is OK on Firepower) and then adding an IP to the diagnostic (which it won't accept in that case).

By definition management and diagnostic will always be on the same subnet since they are using the same physical interface and not trunking.