- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-14-2024 11:33 PM
FTD: 3130
FMC: 1700
FMC on-net and in HA with databases synchonised. Time set correctly.
FTD management interface is on the same subnet as FMC. Only interface connected is management interface.
FTD can ping FMC and FMC can ping FTD.
Try to add FTD as a device to FMC and it times out.
Registration timed out. Please check connectivity and registration id
Time on FTD is configured with NTP but that connectivity isnt there yet, so time is incorrect. Is this the issue? If so - how do you statically define a time on the FTD to allow it to join the FMC?
Thanks in advance.
Solved! Go to Solution.
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-18-2024 10:31 PM
Hi team.
Thank you for all of the support.
Issue is fixed - I added the nat reference at the end of the "configure manager add..." statement and it worked. I dont know why but it did. Perhaps because the FW is in routed mode?
Thank you again.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-14-2024 11:46 PM
- FYI : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwe84715
M.
-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-14-2024 11:48 PM
@wazzfi check the logs, that will confirm the issue.
- From the CLI of the FTD enter expert mode
- Enter the command sudo tail -f /ngfw/var/logs/messages
You can check if the registration details are correct using
- sudo tail -f /etc/sf/sftunnel.conf
What version of FMC and FTD are you running? The FMC has to support the version the FTD is running, the FTD cannot be a newer version than the FMC is running.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-15-2024 12:08 AM
Thanks Rob
Is there a recommended version at the moment? Is there a compatibility matrix I need to follow or is simply having the FMC higher than the FTD be sufficient?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-15-2024 12:34 AM
@wazzfi the FTD just cannot be a higher/newer version than the FMC. For the 3130 7.2.8 is the current recommended version, else 7.4.2.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-18-2024 03:56 PM
OK so the FMC is now running 7.4.2 and the FTD is running 7.2.3.
Aug 18 22:43:19 <hostnmae> SF-IMS[77287]: [77314] sftunneld:sf_connections [INFO] Start connection to : <FMC IP> (wait 80 seconds is up)
Aug 18 22:43:19 <hostnmae> SF-IMS[77287]: [2752] sftunneld:sf_peers [INFO] Peer <FMC IP> needs a single connection
Aug 18 22:43:19 <hostnmae> SF-IMS[77287]: [2752] sftunneld:sf_ssl [INFO] Connect to <FMC IP> on port 8305 - management0
Aug 18 22:43:19 <hostnmae> SF-IMS[77287]: [2752] sftunneld:sf_ssl [INFO] Initiate connection using resolved_ip_list having [1] entries (via management0)
Aug 18 22:43:19 <hostnmae> SF-IMS[77287]: [2752] sftunneld:sf_ssl [INFO] Initiate IPv4 type connection
Aug 18 22:43:19 <hostnmae> SF-IMS[77287]: [2752] sftunneld:sf_ssl [INFO] Initiate IPv4 connection from resolved_ip_list to <FMC IP> (via management0)
Aug 18 22:43:19 <hostnmae> SF-IMS[77287]: [2752] sftunneld:sf_ssl [INFO] Initiating IPv4 connection to <FMC IP>:8305/tcp
Aug 18 22:43:19 <hostnmae> SF-IMS[77287]: [2752] sftunneld:sf_ssl [INFO] Wait to connect to 8305 (IPv4): <FMC IP>
Aug 18 22:43:19 <hostnmae> SF-IMS[77287]: [2752] sftunneld:sf_ssl [INFO] Connect to <FMC IP> failed on port 8305 socket 8 (Connection refused)
Aug 18 22:43:19 <hostnmae> SF-IMS[77287]: [2752] sftunneld:sf_ssl [INFO] No IPv4 connection to <FMC IP>
Aug 18 22:43:19 <hostnmae> SF-IMS[77287]: [2752] sftunneld:sf_ssl [INFO] Initiate IPv4 type connection
Aug 18 22:43:19 <hostnmae> SF-IMS[77287]: [2752] sftunneld:sf_ssl [INFO] Connect to <FMC IP> on port 8305 - tap_nlp
Aug 18 22:43:19 <hostnmae> SF-IMS[77287]: [2752] sftunneld:sf_ssl [INFO] Initiate connection using resolved_ip_list having [1] entries (via tap_nlp)
Aug 18 22:43:19 <hostnmae> SF-IMS[77287]: [2752] sftunneld:sf_ssl [INFO] Initiate IPv4 type connection
Aug 18 22:43:19 <hostnmae> SF-IMS[77287]: [2752] sftunneld:sf_ssl [INFO] Initiate IPv4 connection from resolved_ip_list to <FMC IP> (via tap_nlp)
Aug 18 22:43:19 <hostnmae> SF-IMS[77287]: [2752] sftunneld:sf_ssl [INFO] Initiating IPv4 connection to <FMC IP>:8305/tcp
Aug 18 22:43:19 <hostnmae> SF-IMS[77287]: [2752] sftunneld:sf_ssl [INFO] Wait to connect to 8305 (IPv4): <FMC IP>
Aug 18 22:43:27 <hostnmae> SF-IMS[70449]: [70677] SFDataCorrelator:adi.subscriber [INFO] GRPC-Client Session Directory connects to host unix:///tmp/vdi.socket
Aug 18 22:43:36 <hostnmae> SF-IMS[70449]: [70677] SFDataCorrelator:adi.subscriber [INFO] GRPC-Client Session Directory connects to host unix:///tmp/vdi.socket
Aug 18 22:43:39 <hostnmae> SF-IMS[77287]: [2752] sftunneld:sf_ssl [ERROR] Unable to connect to port 8305 (IPv4): Operation now in progress
Aug 18 22:43:39 <hostnmae> SF-IMS[77287]: [2752] sftunneld:sf_ssl [INFO] No IPv4 connection to <FMC IP>
Aug 18 22:43:39 <hostnmae> SF-IMS[77287]: [2752] sftunneld:sf_ssl [INFO] Initiate IPv4 type connection
Aug 18 22:43:39 <hostnmae> SF-IMS[77287]: [2752] sftunneld:sf_ssl [WARN] Unable to connect to peer '<FMC IP>'
Aug 18 22:43:39 <hostnmae> SF-IMS[77287]: [2752] sftunneld:sf_ssl [INFO] reconnect to peer '<FMC IP>' in 80 seconds
and seems like the manager details arent written into the database?
sudo tail -f /etc/sf/sftunnel.conf
Password:
};
peers_registered
{
}
peers_pending
{
}
peers_routed
{
}
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-18-2024 10:09 PM
@wazzfi you added the command configure manager add <ip address> <key>? If you then run the command show managers it should show the configuration.
Take a tcpdump from the FMC side, filter on the IP address of the FTD and see what communication there is when you attempt to register the FTD from the FMC GUI.
Is the FMC behind a NAT and another firewall that could be affecting the communication?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-18-2024 10:23 PM
You are adding at both ends, correct? i.e., "configure manager add..." at FTD and adding the FTD management IP via the FMC GUI.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-18-2024 10:31 PM
Hi team.
Thank you for all of the support.
Issue is fixed - I added the nat reference at the end of the "configure manager add..." statement and it worked. I dont know why but it did. Perhaps because the FW is in routed mode?
Thank you again.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-19-2024 12:36 PM
hi friend can you more elaborate your solution
if both ftd and fmc same subnet so there is no need NAT
or I am wrong
MHM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-19-2024 02:41 PM
100% do not disagree with you, mate. The FMC and FTD MGMT interfaces were in the same subnets. They refused to work until I added the NAT key. I saw this in another online post and tried it out.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-19-2024 02:52 PM
maybe you use dhcp in one of them ?
this can explain the NAT keyword
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-19-2024 03:12 PM
Na didnt use DHCP, static IPs configured on MGMT interface.
