01-03-2018 07:48 PM - edited 02-21-2020 07:04 AM
Hello!
I have an existing network all setup by someone based on FPR2110 firewall. This exisiting firewall is being managed by FDM(on device/local Firewall Device Manager).
I have an additional FTD firewall which needs to be configured such that it can be managed through FMC.
For this I made the connections as shown in the network diagram (diagram doesnt include other irrelevant network details).
All the management network is flat l2 with a gateway configured on the exisiting firewall.
Stage 1:
Once I powered on the NGFW-FTD02, following commands were issued:
firepower#connect ftd
>configure network ipv4 manual 10.10.20.5 255.255.255.0 10.10.20.1
>connfigure manager add 10.10.20.3 PPPPAAAA
show managers >> shows the fmc is added
Stage 2:
FMC was configured and I was able to access it correctly without any problem.
I added the FPR2110 to the FMC using the key PPPPAAAA.
Initially, it looked like it was in sync with the NGFW-FTD02 but then suddenly started getting error messages about NTP mismatch or something and if FMC and FTD do not have a time sync then FTD cannot be managed through FMC.
Now when I ping from FMC to NGFW-FTD02's management, i am able to get the response. I am also able to SSH into NGFW-FTD02 .
When I ping from NGFW-FTD02 to FMC, the ping fails.
When I ping from NGFW-FTD02 to NGFW-FTD01's default gateway, ping fails.
show NTP on NGFW-FTD02 shows that NTP is associated with the local clock.
Kindly help me understand what would be the possible list of issues.and how do I sync clock from NGFW-FTD02 without being on FMC (need a command), also help me understand the routing issue here as I am unable to reach the gateway (mostly gateway /data interface issue) and FMC back from NGFW-FTD02 but reverse way it is able to ping.
04-24-2018 06:12 PM
I am having the exactly the same issue. We have FTD01 and FTD02. By my mistake, initially I configured FTD02 managed by local Firewall Device Manager. Then, I converted it to be managed by FMC. Now, FTD02 has NTP sync issue.
If I use time4.google.com instead of FMC, it will work. So, NTPD on the FTD02 is working correctly. I don't know what to do next... I opened a TAC case but no luck... I think the key is that it was used to be managed by a local Firewall Device Manager...
===with google
///NTP status///
root@NYP-EDGE-FW02:~# ntpq -np
remote refid st t when poll reach delay offset jitter
==============================================================================
127.127.1.1 .LOCL. 10 l 10 64 37 0.000 0.000 0.000
*216.239.35.12 .GOOG. 1 u 1 32 1 187.033 15.917 0.151
///ntp.conf///
root@FTD02:~# cat /etc/ntp.conf
# KP NTPd client configuration file
server time4.google.com prefer burst iburst minpoll 5 maxpoll 6 # Service Manager NTP Server
# Local Clock as Backup
server 127.127.1.1 # local clock
fudge 127.127.1.1 stratum 10
# default security setting
restrict default kod nomodify notrap noquery
restrict 127.0.0.1 # allow local access
# The driftfile must remain in a place specific to this
# machine - it records the machine specific clock error
# driftfile /opt/cisco/platform/logs/ntp.drift
driftfile /var/lib/ntp/ntp.drift
logconfig=syncall +clockall +sysall +peerall
logfile /opt/cisco/platform/logs/ntp.log
===with FMC
///NTP status///
root@FTD02:~# ntpq -np
remote refid st t when poll reach delay offset jitter
==============================================================================
127.0.0.2 .INIT. 16 u - 64 0 0.000 0.000 0.000
*127.127.1.1 .LOCL. 10 l 62 64 377 0.000 0.000 0.000
///ntp.conf///
root@NYP-EDGE-FW02:~# cat /etc/ntp.conf
# KP NTPd client configuration file
server 127.0.0.2 prefer burst iburst minpoll 5 maxpoll 6 # Service Manager NTP Server
# Local Clock as Backup
server 127.127.1.1 # local clock
fudge 127.127.1.1 stratum 10
# default security setting
restrict default kod nomodify notrap noquery
restrict 127.0.0.1 # allow local access
# The driftfile must remain in a place specific to this
# machine - it records the machine specific clock error
# driftfile /opt/cisco/platform/logs/ntp.drift
driftfile /var/lib/ntp/ntp.drift
logconfig=syncall +clockall +sysall +peerall
logfile /opt/cisco/platform/logs/ntp.log
04-24-2018 06:45 PM
I was able to fix the problem. You can apply this method if it is not in production since we need to whip the config.
1) Remove the problem FTD from FMC
2) Make sure it is no longer registered with FMX, form FTD run "show manager"
3) From FTD, run "configure firewall transparent" to whip the config
4) From FTD, run "configure firewall routed" to back to routed mode
5) Register to FMC
root@FTD02:~# ntpq -np
remote refid st t when poll reach delay offset jitter
==============================================================================
*127.0.0.2 45.33.84.208 3 u 9 64 273 0.660 3.817 0.578
127.127.1.1 .LOCL. 10 l 764 64 0 0.000 0.000 0.000
Note:
I got the idea how to reset previous config from this link....
https://www.lammle.com/post/reset-cisco-ftd-device-converted-asa-ftd-210041009300-factory-default/
04-24-2018 07:39 PM
Cisco does not recommend using FMC as an NTP server. It is best to have both FMC and your managed sensors reference an authoritative (stratum 2 or better) ntp server.
By the way when pinging from an FTD device, use the "ping system" command to make sure it uses the management interface. Otherwise it will try to use a data interface which may not yet have a route setup.
04-24-2018 11:46 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide