Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
387
Views
3
Helpful
8
Replies

FTD re-register to FMC chassis mode

glsparks
Level 1
Level 1

‎04-25-2024 06:54 AM

Deployed a 3100 in chassis mode to the FMC a few days ago. All went to plan.

Determined we needed to change the IP so decided just to delete the device from FMC and re-provision it.

On the FTD via local-mgmt did a erase configuration. The device wiped fine and rebooted.

Went through the setup and set the new ip manager, registration key NAT-ID etc.

Now the device will not register to the FMC. It continually times out at the secured connection point.

Pings etc all work fine.

How do I resolve this? Sounds like something is stuck in the FMC somewhere.

0 Helpful
8 Replies 8

Aref Alsouqi
VIP
VIP

‎04-25-2024 07:34 AM

Try please to check the following log from expert mode on the FTD whilst you are trying to register it to the FMC, it should give you some indications of the reason why it is failing.

 

tail -f /var/log/messages | grep 'the FMC IP address'

 

0 Helpful

glsparks
Level 1
Level 1
In response to Aref Alsouqi

‎04-25-2024 07:49 AM

How do you get into expert mode when the device is in Chassis mode? You can't go to FTD as that is not available.

0 Helpful

glsparks
Level 1
Level 1
In response to glsparks

‎04-25-2024 07:57 AM

Its finally deployed. Took over 20 attempts.

Aref Alsouqi
VIP
VIP
In response to glsparks

‎04-25-2024 08:55 AM - edited ‎04-25-2024 08:55 AM

My bad then, sorry, I didn't realize the FTD wasn't available yet, and glad to know it finally worked.

0 Helpful

glsparks
Level 1
Level 1
In response to Aref Alsouqi

‎04-26-2024 12:13 AM

I think the registration process must be particularly sensitive to latency. Was experiencing somewhat high latency at the time 20ms or thereabouts the devices was being provisioned remotely. I'll know for next time.

roki
Level 1
Level 1

‎05-24-2024 03:10 AM

Hello, and thank you for posting this. I am glad you got your problem solved, but I could actually really use your help as I have a similar problem.

I am also running a 3100 chassis and already registered it in FMC but unfortunately it was discovered later that the name was wrong. I haven't been able to find a way to change the name displayed on the chassis inside the FMC device list, and so I came to the conclusion that a reregister maneuver like you performed, would be the best option. 
As you, I also dont have access to the FTD cli after converting to multi-instance chassis, but I fail to see how I can run a registration command in the local-mgmt mode? 
In your description it sounded to me like you simply erased config, and then was able to immediately write a command in local-mgmt mode to re-enroll. 
Is it the case that when you unenroll, then ftd becomes available again?, or is it because you did a reimage as well afterwards which then enabled you to re-enroll?

regards

- Roar

0 Helpful

glsparks
Level 1
Level 1
In response to roki

‎05-24-2024 04:03 AM

To re-register i did these steps:

Deleted it from FMC 

connect local-mgmt

erase configuration

Once it reloaded i simply ran through the initial wizard again. I think you could even skip this bit as the next step appears to wipe what you put in via the wizard or prior to running the registration commands, including hostnames etc.

Switch to the FTD

configure multi-instance network ipv4 x.x.x y.y.y.y x.x.x.x manager x.x.x.x DONTRESOLVE xxx xxx

I ensured new NAT's

This prompted me it was going to wipe the initial settings added via the wizard and then reloads.

Added it back into the FMC.

Once you switch to chassis mode you can't do anything locally of any significance on the 3100. From what I can tell and what TAC have told me. It won't let you save any changes and errors saying changes should be via the FMC.

I tried to setup AAA for example for the Chassis and got no where. TAC confirmed this and other changes to the chassis are not supported, so i don't think you can do anything like set a hostname. The only thing i think you can do is change the password of the admin account locally and upload files and such. Everything has to be done via the FMC.

I don't think the documentation or the CLI help is particularly clear on any of this. Take the AAA on the CLI for example there are commands in there for TACACS but no reference to this in any documentation. I can only assume a lot of the core code is shared with other Cisco kit and simply doesn't work for this platform.

roki
Level 1
Level 1
In response to glsparks

‎05-24-2024 04:24 AM

Thanks man! This was the good news I was hoping for! this really saves me a bunch of time! Goes to show I should use these forums more often

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card