FTD rejecting SSL Cert from FMC

Cyianara69 · ‎03-31-2021

Hi All,

Wondering if anyone has seen this problem. Trying to register a 6.4 FTD with 6.4 FMC. Logs on the FTD are showing errors with the FMC SSL certificate and the sftunnel is never established between the the two devices. All devices are straight out of the box.

Error: sftunneld:sf_ssl [Error] -Error with certificate at depth: 1

Any hints or clues to point in the right direction??

Thanks,

Marvin Rhoads · ‎03-31-2021

I've never encountered that problem personally. The process should work even with the default self-signed certificates on both ends. The sftunnel process uses https (TLS) over tcp/8305 to secure the communications of the management and eventing channels.

I have seen one or two cases reported where this error was caused by the time/date being out of sync between the FMC and device you are trying to add. Can you check the time and ntp status on both?

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/215540-configure-verify-and-troubleshoot-firep.html#anc25

Cyianara69 · ‎03-31-2021

I check the time on both the FMC and FTD and they were off. I'm backtracking now to make sure the FPC chassis time is correct, however after syncing the time, I get an CRL expired error now on the FTD. Not sure how to get around that.

Marvin Rhoads · ‎03-31-2021

If it's a brand new FTD logical device on a 4100 or 9300 series chassis, it may be easier to just delete and recreate it rather than try to regenerate the self-signed certificate being used by sftunnel.