Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1674
Views
7
Helpful
12
Replies

FTD not registering to FMC

Go to solution
wazzfi
Level 1
Level 1

‎08-14-2024 11:33 PM

FTD: 3130

FMC: 1700

FMC on-net and in HA with databases synchonised. Time set correctly. 

 

FTD management interface is on the same subnet as FMC. Only interface connected is management interface. 

FTD can ping FMC and FMC can ping FTD.

Try to add FTD as a device to FMC and it times out. 

Registration timed out. Please check connectivity and registration id

Time on FTD is configured with NTP but that connectivity isnt there yet, so time is incorrect. Is this the issue? If so - how do you statically define a time on the FTD to allow it to join the FMC? 

Thanks in advance. 

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
wazzfi
Level 1
Level 1

‎08-18-2024 10:31 PM

Hi team.

Thank you for all of the support.

Issue is fixed - I added the nat reference at the end of the "configure manager add..." statement and it worked. I dont know why but it did. Perhaps because the FW is in routed mode? 

Thank you again.

View solution in original post

0 Helpful
12 Replies 12

Go to solution
marce1000
Hall of Fame
Hall of Fame

‎08-14-2024 11:46 PM

 

                - FYI : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwe84715

  M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Go to solution
Rob Ingram
VIP
VIP

‎08-14-2024 11:48 PM

@wazzfi check the logs, that will confirm the issue.

 

  • From the CLI of the FTD enter expert mode
  • Enter the command sudo tail -f /ngfw/var/logs/messages

You can check if the registration details are correct using

  • sudo tail -f /etc/sf/sftunnel.conf

What version of FMC and FTD are you running? The FMC has to support the version the FTD is running, the FTD cannot be a newer version than the FMC is running.

 

Go to solution
wazzfi
Level 1
Level 1
In response to Rob Ingram

‎08-15-2024 12:08 AM

Thanks Rob 

Is there a recommended version at the moment? Is there a compatibility matrix I need to follow or is simply having the FMC higher than the FTD be sufficient?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to wazzfi

‎08-15-2024 12:34 AM

@wazzfi the FTD just cannot be a higher/newer version than the FMC. For the 3130 7.2.8 is the current recommended version, else 7.4.2.

Go to solution
wazzfi
Level 1
Level 1
In response to Rob Ingram

‎08-18-2024 03:56 PM

OK so the FMC is now running 7.4.2 and the FTD is running 7.2.3.

Aug 18 22:43:19 <hostnmae> SF-IMS[77287]: [77314] sftunneld:sf_connections [INFO] Start connection to : <FMC IP> (wait 80 seconds is up)
Aug 18 22:43:19 <hostnmae> SF-IMS[77287]: [2752] sftunneld:sf_peers [INFO] Peer <FMC IP> needs a single connection
Aug 18 22:43:19 <hostnmae> SF-IMS[77287]: [2752] sftunneld:sf_ssl [INFO] Connect to <FMC IP> on port 8305 - management0
Aug 18 22:43:19 <hostnmae> SF-IMS[77287]: [2752] sftunneld:sf_ssl [INFO] Initiate connection using resolved_ip_list having [1] entries (via management0)
Aug 18 22:43:19 <hostnmae> SF-IMS[77287]: [2752] sftunneld:sf_ssl [INFO] Initiate IPv4 type connection
Aug 18 22:43:19 <hostnmae> SF-IMS[77287]: [2752] sftunneld:sf_ssl [INFO] Initiate IPv4 connection from resolved_ip_list to <FMC IP> (via management0)
Aug 18 22:43:19 <hostnmae> SF-IMS[77287]: [2752] sftunneld:sf_ssl [INFO] Initiating IPv4 connection to <FMC IP>:8305/tcp
Aug 18 22:43:19 <hostnmae> SF-IMS[77287]: [2752] sftunneld:sf_ssl [INFO] Wait to connect to 8305 (IPv4): <FMC IP>
Aug 18 22:43:19 <hostnmae> SF-IMS[77287]: [2752] sftunneld:sf_ssl [INFO] Connect to <FMC IP> failed on port 8305 socket 8 (Connection refused)
Aug 18 22:43:19 <hostnmae> SF-IMS[77287]: [2752] sftunneld:sf_ssl [INFO] No IPv4 connection to <FMC IP>
Aug 18 22:43:19 <hostnmae> SF-IMS[77287]: [2752] sftunneld:sf_ssl [INFO] Initiate IPv4 type connection
Aug 18 22:43:19 <hostnmae> SF-IMS[77287]: [2752] sftunneld:sf_ssl [INFO] Connect to <FMC IP> on port 8305 - tap_nlp
Aug 18 22:43:19 <hostnmae> SF-IMS[77287]: [2752] sftunneld:sf_ssl [INFO] Initiate connection using resolved_ip_list having [1] entries (via tap_nlp)
Aug 18 22:43:19 <hostnmae> SF-IMS[77287]: [2752] sftunneld:sf_ssl [INFO] Initiate IPv4 type connection
Aug 18 22:43:19 <hostnmae> SF-IMS[77287]: [2752] sftunneld:sf_ssl [INFO] Initiate IPv4 connection from resolved_ip_list to <FMC IP> (via tap_nlp)
Aug 18 22:43:19 <hostnmae> SF-IMS[77287]: [2752] sftunneld:sf_ssl [INFO] Initiating IPv4 connection to <FMC IP>:8305/tcp
Aug 18 22:43:19 <hostnmae> SF-IMS[77287]: [2752] sftunneld:sf_ssl [INFO] Wait to connect to 8305 (IPv4): <FMC IP>
Aug 18 22:43:27 <hostnmae> SF-IMS[70449]: [70677] SFDataCorrelator:adi.subscriber [INFO] GRPC-Client Session Directory connects to host unix:///tmp/vdi.socket
Aug 18 22:43:36 <hostnmae> SF-IMS[70449]: [70677] SFDataCorrelator:adi.subscriber [INFO] GRPC-Client Session Directory connects to host unix:///tmp/vdi.socket
Aug 18 22:43:39 <hostnmae> SF-IMS[77287]: [2752] sftunneld:sf_ssl [ERROR] Unable to connect to port 8305 (IPv4): Operation now in progress
Aug 18 22:43:39 <hostnmae> SF-IMS[77287]: [2752] sftunneld:sf_ssl [INFO] No IPv4 connection to <FMC IP>
Aug 18 22:43:39 <hostnmae> SF-IMS[77287]: [2752] sftunneld:sf_ssl [INFO] Initiate IPv4 type connection
Aug 18 22:43:39 <hostnmae> SF-IMS[77287]: [2752] sftunneld:sf_ssl [WARN] Unable to connect to peer '<FMC IP>'
Aug 18 22:43:39 <hostnmae> SF-IMS[77287]: [2752] sftunneld:sf_ssl [INFO] reconnect to peer '<FMC IP>' in 80 seconds

and seems like the manager details arent written into the database?

sudo tail -f /etc/sf/sftunnel.conf
Password:
};
peers_registered
{
}
peers_pending
{
}
peers_routed
{
}

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to wazzfi

‎08-18-2024 10:09 PM

@wazzfi you added the command configure manager add <ip address> <key>? If you then run the command show managers it should show the configuration.

Take a tcpdump from the FMC side, filter on the IP address of the FTD and see what communication there is when you attempt to register the FTD from the FMC GUI.

Is the FMC behind a NAT and another firewall that could be affecting the communication?

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to wazzfi

‎08-18-2024 10:23 PM

You are adding at both ends, correct? i.e., "configure manager add..." at FTD and adding the FTD management IP via the FMC GUI.

0 Helpful

Go to solution
wazzfi
Level 1
Level 1

‎08-18-2024 10:31 PM

Hi team.

Thank you for all of the support.

Issue is fixed - I added the nat reference at the end of the "configure manager add..." statement and it worked. I dont know why but it did. Perhaps because the FW is in routed mode? 

Thank you again.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to wazzfi

‎08-19-2024 12:36 PM

hi friend can you more elaborate your solution 
if both ftd and fmc same subnet so there is no need NAT 

or I am wrong 

MHM

0 Helpful

Go to solution
wazzfi
Level 1
Level 1
In response to MHM Cisco World

‎08-19-2024 02:41 PM

100% do not disagree with you, mate. The FMC and FTD MGMT interfaces were in the same subnets. They refused to work until I added the NAT key. I saw this in another online post and tried it out. 

Go to solution
MHM Cisco World
VIP
VIP
In response to wazzfi

‎08-19-2024 02:52 PM

maybe you use dhcp in one of them ?

this can explain the NAT keyword 

Screenshot (163).png

Screenshot (164).png

0 Helpful

Go to solution
wazzfi
Level 1
Level 1
In response to MHM Cisco World

‎08-19-2024 03:12 PM

Na didnt use DHCP, static IPs configured on MGMT interface. 

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card
Top