01-17-2024 11:01 AM
i am trying to register my FTD to my remote FMC by this guide with manual method
but when i am adding my FTD to FMC i got error Registration timed out. Please check connectivity and registration id
I have configured outside static ip address in FTD as managment interface and also registration id and nat id. FMC is behind the nat and I can ping FTD outside ip.
On FTD i configured manager with command "configure manager add DONTRESOLVE secret123 natid123" as i dont have directly access to FMC. I tried to registrer FTD with IP and NAT ID both, without IP only with NAT ID and also without NAT ID only with static IP but everytime fails. Can you help me?
Solved! Go to Solution.
01-18-2024 10:24 AM
there are two tunnel one is control and other is event
so
point to check
1- Check the Ver. is compatible or not between FTD and FMC
FTD /ngfw/var/log/messages file:
2- share this
> capture-traffic Please choose domain to capture traffic from: 0 - eth0 1 - Global Selection? 0 Please specify tcpdump options desired. (or enter '?' for a list of supported options) Options: -n host <FMC IP>
MHM
01-17-2024 11:05 AM
@sherali mamatkarimov check the logs from the from the CLI of the FTD enter expert mode and enter the command sudo tail -f /ngfw/var/logs/messages
tcp/8305 is allowed inbound/outbound to/from the FMC?
01-17-2024 11:10 AM
Jan 17 19:06:01 fpr-02 sudo: pam_ldap: ldap_simple_bind Can't contact LDAP server
Jan 17 19:06:01 fpr-02 sudo: pam_ldap: reconnecting to LDAP server...
Jan 17 19:06:01 fpr-02 sudo: pam_ldap: ldap_simple_bind Can't contact LDAP server
Jan 17 19:06:04 fpr-02 sudo: pam_radius_auth: Could not open configuration file /etc/raddb/server: No such file or directory
Jan 17 19:06:04 fpr-02 sudo: pam_ldap: ldap_simple_bind Can't contact LDAP server
Jan 17 19:06:04 fpr-02 sudo: pam_ldap: reconnecting to LDAP server...
Jan 17 19:06:04 fpr-02 sudo: pam_ldap: ldap_simple_bind Can't contact LDAP server
Jan 17 19:06:05 fpr-02 sudo: root : PWD=/opt/cisco/csp/applications ; USER=root ; COMMAND=/usr/bin/pgrep -x snort
Jan 17 19:06:05 fpr-02 sudo: root : PWD=/opt/cisco/csp/applications ; USER=root ; COMMAND=/usr/bin/pgrep -x sfhassd
Jan 17 19:06:07 fpr-02 sudo: admin : TTY=ttyS0 ; PWD=/ ; USER=root ; COMMAND=/usr/bin/tail -f /ngfw/var/log/messages
Jan 17 19:06:09 fpr-02 SF-IMS[8503]: [8730] SFDataCorrelator:adi.subscriber [INFO] GRPC-Client Session Directory connects to host unix:///tmp/vdi.socket
Jan 17 19:06:18 fpr-02 SF-IMS[8503]: [8730] SFDataCorrelator:adi.subscriber [INFO] GRPC-Client Session Directory connects to host unix:///tmp/vdi.socket
Jan 17 19:06:29 fpr-02 SF-IMS[8503]: [8730] SFDataCorrelator:adi.subscriber [INFO] GRPC-Client Session Directory connects to host unix:///tmp/vdi.socket
Jan 17 19:06:38 fpr-02 SF-IMS[8503]: [8730] SFDataCorrelator:adi.subscriber [INFO] GRPC-Client Session Directory connects to host unix:///tmp/vdi.socket
Jan 17 19:06:49 fpr-02 SF-IMS[8503]: [8730] SFDataCorrelator:adi.subscriber [INFO] GRPC-Client Session Directory connects to host unix:///tmp/vdi.socket
Jan 17 19:07:00 fpr-02 SF-IMS[8503]: [8730] SFDataCorrelator:adi.subscriber [INFO] GRPC-Client Session Directory connects to host unix:///tmp/vdi.socket
Jan 17 19:07:09 fpr-02 SF-IMS[8503]: [8730] SFDataCorrelator:adi.subscriber [INFO] GRPC-Client Session Directory connects to host unix:///tmp/vdi.socket
Jan 17 19:07:11 fpr-02 sudo: root : PWD=/opt/cisco/csp/applications ; USER=root ; COMMAND=/usr/bin/pgrep -x snort
Jan 17 19:07:11 fpr-02 sudo: root : PWD=/opt/cisco/csp/applications ; USER=root ; COMMAND=/usr/bin/pgrep -x sfhassd
Jan 17 19:07:21 fpr-02 SF-IMS[8503]: [8730] SFDataCorrelator:adi.subscriber [INFO] GRPC-Client Session Directory connects to host unix:///tmp/vdi.socket
Jan 17 19:07:33 fpr-02 SF-IMS[8503]: [8730] SFDataCorrelator:adi.subscriber [INFO] GRPC-Client Session Directory connects to host unix:///tmp/vdi.socket
Jan 17 19:07:44 fpr-02 SF-IMS[8503]: [8730] SFDataCorrelator:adi.subscriber [INFO] GRPC-Client Session Directory connects to host unix:///tmp/vdi.socket
Jan 17 19:07:55 fpr-02 SF-IMS[8503]: [8730] SFDataCorrelator:adi.subscriber [INFO] GRPC-Client Session Directory connects to host unix:///tmp/vdi.socket
Jan 17 19:08:05 fpr-02 SF-IMS[8503]: [8730] SFDataCorrelator:adi.subscriber [INFO] GRPC-Client Session Directory connects to host unix:///tmp/vdi.socket
Jan 17 19:08:07 fpr-02 sudo: root : PWD=/opt/cisco/csp/applications ; USER=root ; COMMAND=/usr/bin/pgrep -x snort
Jan 17 19:08:07 fpr-02 sudo: root : PWD=/opt/cisco/csp/applications ; USER=root ; COMMAND=/usr/bin/pgrep -x sfhassd
Jan 17 19:08:13 fpr-02 SF-IMS[8503]: [8730] SFDataCorrelator:adi.subscriber [INFO] GRPC-Client Session Directory connects to host unix:///tmp/vdi.socket
Jan 17 19:08:23 fpr-02 SF-IMS[8503]: [8730] SFDataCorrelator:adi.subscriber [INFO] GRPC-Client Session Directory connects to host unix:///tmp/vdi.socket
Jan 17 19:08:34 fpr-02 SF-IMS[8503]: [8730] SFDataCorrelator:adi.subscriber [INFO] GRPC-Client Session Directory connects to host unix:///tmp/vdi.socket
Jan 17 19:08:46 fpr-02 SF-IMS[8503]: [8730] SFDataCorrelator:adi.subscriber [INFO] GRPC-Client Session Directory connects to host unix:///tmp/vdi.socket
Jan 17 19:08:55 fpr-02 SF-IMS[8503]: [8730] SFDataCorrelator:adi.subscriber [INFO] GRPC-Client Session Directory connects to host unix:///tmp/vdi.socket
Here is log
Should i add from any to any allow to port 8305 is it unsafe? And should i close 8305 after registring?
01-17-2024 11:12 AM
@sherali mamatkarimov you have to leave tcp/8305 that is how the FMC and FTD communicate to deploy policy and send event logs etc. You could limit the communication on the FTD in front of the FMC to restrict communication to the FMC from known networks. The communication over tcp/8305 is encrypted.
01-17-2024 11:15 AM
i have opened 8305 port from anywhere to anywhere but still fails here is my netstat from FMC
And here from FTD
01-17-2024 11:19 AM
@sherali mamatkarimov you need to check the firewall logs of the FTD protecting the FMC and confirm traffic is or is not permitted. You can use the capture-traffic command and filter on tcp/8305 to confirm the communication.
01-17-2024 11:25 AM
there is not connections with port 8305 how can i permit it from CLI?
01-17-2024 11:30 AM
@sherali mamatkarimov You do not permit from the CLI. You define the manager on the CLI (as you already appear to have done) and then from the FMC you register the device and communication is established. Example - https://integratingit.wordpress.com/2018/10/20/ftd-registration-with-fmc/
Have you checked the firewall logs of the FTD in front of the FMC to confirm the traffic is being permitted?
01-17-2024 12:06 PM
@Rob Ingram написал (-а):@sherali mamatkarimovYou do not permit from the CLI. You define the manager on the CLI (as you already appear to have done) and then from the FMC you register the device and communication is established. Example - https://integratingit.wordpress.com/2018/10/20/ftd-registration-with-fmc/
Have you checked the firewall logs of the FTD in front of the FMC to confirm the traffic is being permitted?
In that case FTD and FMC are in one subnet, but in my case FMC remote and i cant see capture traffic as i am going to connect to FMC not by managment0 interface
01-17-2024 12:12 PM
@sherali mamatkarimov you can capture on the FTD traffic in front of the FMC (the firewall that is natting the traffic and permitting the connections), you can system support firewall-engine-debug as you would troubleshooting any other connection issue - https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212474-working-with-firepower-threat-defense-f.html
Or you can run tcpdump on the FMC, you can check the events in the FMC if you filter on the remote FTD.
01-17-2024 11:30 AM
what is interface you use to register FTD to FMC ?
Mgmt or OUTside data interface ?
MHM
01-17-2024 11:32 AM
Outside interface
01-17-2024 11:37 AM
Perfect
are the FMC IP you use is behind NAT?
MHM
01-17-2024 11:40 AM
Yes FMC IP is behind NAT
01-17-2024 11:44 AM
> configure manager add DONTRESOLVE Cisco-123 nat123
then try this in FTD using key and NAT ID
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide