Thanks, Rob for your input. I believe what you are describing is the same or close to what I had originally, but FTD could not resolve DNS even though DNS was configured. TAC spent three hours looking at this and concluded the FMCv had to be directly connected. 

@lcaruso you don't need to use dns, you can just use IP.

Can you ping the gateway from the FTD? Can you ping the FMC from the FTD?

Did you take a tcpdump as per the link I provided?

Rob, the dns issue was seen with a critical health status for FTD not being able to connect like this 

FTD01:/home/ldap/abbac# curl -v -k https://api-sse.cisco.com
* Rebuilt URL to: https://api-sse.cisco.com/
* getaddrinfo(3) failed for api-sse.cisco.com:443
* Couldn't resolve host 'api-sse.cisco.com'
* Closing connection 0
curl: (6) Couldn't resolve host 'api-sse.cisco.com'

@lcaruso I assumed your issue was registering the ftd to the fmc. That screenshot would indicate you mean the ftd is unable to resolve a dns entry in order to access the Internet?

How does this relate to the fmc? Please provide more information on your issue.

Is it just this fqdn that is not resolvable?

Rob, the connectivity issue was FTD could not ping ip addresses eg 8.8.8.8 so that is why a critical error raised regarding the reachability of the cloud. I was told by TAC there is a separate FTD "policy" that manages FTD's network that I had not configured. Somehow TAC jumped from configuring that as a possible solution to these required topology changes with Management1/1 connected directly to Eth1/5 and FMCv connected directly to Eth1/4 per the FP1010 cabling diagram. 

@lcaruso isn't this 2 issues?

Please provide the actual screenshot of the critical error regarding reachability of the cloud, I assume it's displayed on the FMC? The FMC does normally communicate with api-sse.cisco.com - therefore the FMC would need internet access, so NAT and an Access Control rule to permit the traffic.

If you cannot even ping an IP address on the internet from the FTD itself, does this not indicate an actual fundamental network/routing issue? Can you ping the next hop IP address? Can devices behind the FTD access the internet?

On the FTD what interface are you pinging from? The Outside interface (ping 8.8.8.8) or mgmt interface (ping system 8.8.8.8). If your mgmt interface is connected to the internal LAN (with the switch as the next hop) then it is routed through the FTD, so you'd need NAT and an Access Control rule.

To configure the FTD to ping hostnames you need to configure DNS in the Platform Settings policy.

Hi @balaji.bandi thanks for your reply. I should have mentioned I had everything setup and working except FTD could not resolve DNS names and connect to the cloud. So FMCv was registered, inside traffic was passing fine, but FTD was critical status because of not being able to connect to the cloud. I did see that video you shared previously that is a good one, thanks. 

 

 

 balaji.bandi

is that still issue has this been resolved?

Not resolved yet because I am now redesigning the network to match the diagram that Cisco says I have to implement. I swapped in my backup firewall and need to connect FMCv directly and cable Management1/1 to Eth1/5 as in the diagram.