FTD primary in disabled state on FMC

guidov2 · ‎08-04-2022

Hello we are running 4 ftd instance on 2 firepower 4145 in HA pair.

One ftd is shown on fmc as disabled (it happened after an emergency maintenece windows whre the devices were powered of and powered on again.

Now we are tring to fix the issue but until now no success.

by cky the primary fmc has no manager so we try to reconfigure it unsuccessfully.

seeing at the logs it seems an authentication error on the sftunnel:

Aug 4 15:53:57 I_CHL_CORP SF-IMS[45436]: [45460] sftunneld:sf_ssl [INFO] Initiate connection using resolved_ip_list having [1] entries (via management0)
Aug 4 15:53:57 I_CHL_CORP SF-IMS[45436]: [45460] sftunneld:sf_ssl [INFO] Initiate IPv4 type connection
Aug 4 15:53:57 I_CHL_CORP SF-IMS[45436]: [45460] sftunneld:sf_ssl [INFO] Initiate IPv4 connection from resolved_ip_list to 100.67.28.201 (via management0)
Aug 4 15:53:57 I_CHL_CORP SF-IMS[45436]: [45460] sftunneld:sf_ssl [INFO] Initiating IPv4 connection to 100.67.28.201:8305/tcp
Aug 4 15:53:57 I_CHL_CORP SF-IMS[45436]: [45460] sftunneld:sf_ssl [INFO] Wait to connect to 8305 (IPv4): 100.67.28.201
Aug 4 15:53:57 I_CHL_CORP SF-IMS[45436]: [45458] sftunneld:tunnsockets [INFO] Started listening on port 8305 IPv4(100.67.28.249) management0
Aug 4 15:53:57 I_CHL_CORP SF-IMS[45436]: [45458] sftunneld:tunnsockets [INFO] Started listening on port 8305 IPv4(169.254.1.2) tap_nlp
Aug 4 15:53:57 I_CHL_CORP SF-IMS[45436]: [45460] sftunneld:sf_ssl [INFO] Connected to 100.67.28.201 from resolved_ip_list (port 8305) (IPv4)
Aug 4 15:53:57 I_CHL_CORP SF-IMS[45436]: [45458] sftunneld:tunnsockets [INFO] Started listening on port 8305 IPv6 (fd00:0:0:1::2) tap_nlp
Aug 4 15:53:57 I_CHL_CORP SF-IMS[45436]: [45460] sftunneld:sf_ssl [INFO] Successfully connected using SSL to: '100.67.28.201'
Aug 4 15:53:57 I_CHL_CORP SF-IMS[45436]: [45460] sftunneld:sf_ssl [INFO] ConnectToServer connected Peer TLS with version is [TLSv1.2]
Aug 4 15:53:57 I_CHL_CORP SF-IMS[45436]: [45460] sftunneld:sf_ssl [WARN] Could not receive Message: Closed
Aug 4 15:53:57 I_CHL_CORP SF-IMS[45436]: [45460] sftunneld:sf_ssl [WARN] VerifyConnect:Failed to authenticate or to be authenticated by peer '100.67.28.201'

The issue is that it is not possible as the regkey is the same for any ftd and if it was different also secondary unit should not connect.

the clock is the same on the 2 devices ....

We are thinking to break the HA (but this should clear the configuration of the secondary that is working fine) Probably the solution is to delete the ha instance from FMC and then add the devices again on FMC ... but we have some doubt and we cannot stop services on that instance.

We have an opened case but at the moment we have no result ...

Any help is appreciated

Thanks and regards

Marvin Rhoads · ‎08-07-2022

I have seen FTD database get corrupted sometimes when there is an unscheduled power loss such as you had. In those case it is usually necessary to rebuild (re-image) the device, remove the old instance from FMC and then and rejoin in the FMC and any HA pair.

Marius Gunnerud · ‎08-08-2022

On the FMC in expert mode run the command pmtool status to show the status of the sftunnel for management traffic between FTD and FMC.

If the sftunnel is showing as down, you can try to restart it.

user@fpr1:/ngfw/var/sf/bin# sudo su -

root@fpr1:/ngfw/var/sf/bin# manage_procs.pl

**************** Configuration Utility **************

1 Reconfigure Correlator

2 Reconfigure and flush Correlator

3 Restart Comm. channel

4 Update routes

5 Reset all routes

6 Validate Network

0 Exit

**************************************************************

Enter choice: 3

1