11-08-2022 12:14 PM
We had to change the outside interface IP of a remote office FTD that was connected to a central FMC. After changing the IP the FTD does not want to reconnect to the FMC. The network objects were updated to the new IP address (for NAT, Policies, etc..), device IP was changed under device management on the FMC, and the IP was changed on the FTD. I am able login to the the remote FTD via SSH from the central site. Any suggestions what to look out would be great.
11-08-2022 12:20 PM
if the IP changed you need to de-register and re-register
check on FTD or FMC
> show managers
11-08-2022 01:03 PM
The FTD still shows the FMC as the current manager. So correct me if I am wrong here. But if I delete the current manager it will wipe the configuration on the FTD. I will loose connectivity and drop all user traffic. This should not change the management of the device so I should be able to still SSH to the FTD using the outside interface . Then I connect the FTD again to the FMC by running the "connect manager add x.x.x.x <pass>" command. This is where I cannot find any documentation on how to associate the existing configuration back to the device. Should it pick it up automatically or is there a step i am missing here.
11-08-2022 03:33 PM
Removing manager and adding back will not have any impact on the traffic. but from FMC you able to push changes (any way its not working for you now)
Most of the config is stored in FMC, so once it registers you can make changes, no config will be lost.
But saying that 1 in 10000 may have a different issue ( so from FMC backup the config out of the box)
11-09-2022 05:35 AM
Balaji,
I tried that this morning and I am still having some issues on this remote ftd to get it reconnect. I removed the manager.
configure manager delete
Then added the manager again
configure manager add x.y.z.83 JoinMe JoinMe
> show managers
Host : x.y.z.83
Registration Key : ****
Registration : pending
RPC Status :
> show managers
Host : x.y.z.83
Registration Key : ****
Registration : pending
RPC Status :
When I enable the existing device it errors with timeout. When I try and add the device it tells me that that the time is not synced. the FMC is configured for NTP. I also validated the time on the FTD and it is within 1 second.
> sftunnel-status
SFTUNNEL Start Time: Wed Nov 9 13:15:15 2022
Both IPv4 and IPv6 connectivity is supported
Broadcast count = 1
Reserved SSL connections: 1
Management Interfaces: 2
management0 (control events) 192.168.98.3,
tap0.1000 (control events) 169.254.1.3,fd00:0:0:1::3
***********************
peer ~JoinMe did not reply at /usr/local/sf/bin/sftunnel_status.pl line 304.
Retry rpc status poll at /usr/local/sf/bin/sftunnel_status.pl line 310.
**RPC STATUS****x.y.z.83*************
RPC status :Failed
Check routes:
No peers to check
Again this is a remote site and the FMC is configured with a NAT that was previously working to the remote site
11-09-2022 07:24 AM
You need to remove both the sides is best to re-register.
if this was natted then you need to change NAT with new IP address to translate.
11-09-2022 11:42 AM
No luck. Same error
Could not establish connection with Device
Possible reasons could be:-
- Time on FMC and Device are not in sync. Make sure NTP is configured on both.
- There might be an IPS device between FMC/Device which might be blocking SSL connectivity between the two. Remove any rule in the IPS device which is blocking SSL connectivity.
- Device and FMC are not listening on same sftunnel Port. Current sftunnel port configured on FMC is 8305, please ensure Device is also using the same port.
- SSL certificates might have got generated with wrong/future time stamp.
For more troubleshooting tips, see https://cisco.com/go/fmc-reg-error
NAT was updated when I updated the Network Object for the the FTDs outside interface. I am seeing NAT translations, packets both inbound & outbound on the packet capture.
The FMC IP did not change. I tried with "Unique NAT ID" and not. Also tried with using the "configure manager add DONTRESOLVE <key> <natID>".
Which leads maybe to the way I changed the IP address. The outbound (outside) interface is Ethe1/1. Here is the output of the show network.
> show network
===============[ System Information ]===============
Hostname : lynn00-ftdcx01
DNS Servers : 208.67.222.222
208.67.220.220
2620:119:35::35
DNS from router : enabled
Management port : 8305
IPv4 Default route
Gateway : 192.168.98.1 <-this is the inside address
Netmask : 0.0.0.0
==================[ management0 ]===================
State : Enabled
Link : Up
Channels : Management & Events
Mode : Non-Autonegotiation
MDI/MDIX : Auto/MDIX
MTU : 1500
MAC Address : <removed>
----------------------[ IPv4 ]----------------------
Configuration : Manual
Address : 192.168.98.3
Netmask : 255.255.255.0
Gateway : 192.168.98.1
----------------------[ IPv6 ]----------------------
Configuration : Disabled
===============[ Proxy Information ]================
State : Disabled
Authentication : Disabled
======[ System Information - Data Interfaces ]======
DNS Servers :
Interfaces : Ethernet1/1
==================[ Ethernet1/1 ]===================
State : Enabled
Link : Up
Name : lyn_outside
MTU : 1500
MAC Address : <removed>
----------------------[ IPv4 ]----------------------
Configuration : Manual
Address : x.y.z.38
Netmask : 255.255.255.240
Gateway : x.y.z.33
----------------------[ IPv6 ]----------------------
Configuration : Disabled
Any ideas?
11-09-2022 02:32 PM
Have you had a look at the logs in /ngfw/var/log/messages ? There might be a clue as to why registration is failing there.
11-10-2022 01:53 AM
Since you mentioned NAT - never tested myself : check below threat has some information may help you apart from suggestion made @Marius Gunnerud logs.
11-10-2022 07:07 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide