cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4322
Views
2
Helpful
22
Replies

FTD to remote FMC register problem

i am trying to register my FTD to my remote FMC by this guide with manual method

https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/fp2100/firepower-2100-gsg/ftd-fmc-remote.html#task_imq_yw3_b3b

but when i am adding my FTD to FMC i got error  Registration timed out. Please check connectivity and registration id

I have configured outside static ip address in FTD as managment interface and also registration id and nat id. FMC is behind the nat and I can ping FTD outside ip. 

 On FTD i configured manager with command "configure manager add DONTRESOLVE secret123 natid123" as i dont have directly access to FMC. I tried to registrer FTD with IP and NAT ID both, without IP only with NAT ID and also without NAT ID only with static IP but everytime fails. Can you help me?

1 Accepted Solution

Accepted Solutions

 

sheralimamatkarimov_0-1705518885123.png there are two tunnel one is control and other is event 
so 
point to check 
1- Check the Ver. is compatible or not between FTD and FMC
FTD /ngfw/var/log/messages file: 
2- share this 

> capture-traffic

Please choose domain to capture traffic from:
  0 - eth0
  1 - Global

Selection? 0

Please specify tcpdump options desired.
(or enter '?' for a list of supported options)
Options: -n host <FMC IP>

 MHM

View solution in original post

22 Replies 22

@sherali mamatkarimov check the logs from the from the CLI of the FTD enter expert mode and enter the command sudo tail -f /ngfw/var/logs/messages

tcp/8305 is allowed inbound/outbound to/from the FMC?

 

 

 

Spoiler

Jan 17 19:06:01 fpr-02 sudo: pam_ldap: ldap_simple_bind Can't contact LDAP server
Jan 17 19:06:01 fpr-02 sudo: pam_ldap: reconnecting to LDAP server...
Jan 17 19:06:01 fpr-02 sudo: pam_ldap: ldap_simple_bind Can't contact LDAP server
Jan 17 19:06:04 fpr-02 sudo: pam_radius_auth: Could not open configuration file /etc/raddb/server: No such file or directory
Jan 17 19:06:04 fpr-02 sudo: pam_ldap: ldap_simple_bind Can't contact LDAP server
Jan 17 19:06:04 fpr-02 sudo: pam_ldap: reconnecting to LDAP server...
Jan 17 19:06:04 fpr-02 sudo: pam_ldap: ldap_simple_bind Can't contact LDAP server
Jan 17 19:06:05 fpr-02 sudo: root : PWD=/opt/cisco/csp/applications ; USER=root ; COMMAND=/usr/bin/pgrep -x snort
Jan 17 19:06:05 fpr-02 sudo: root : PWD=/opt/cisco/csp/applications ; USER=root ; COMMAND=/usr/bin/pgrep -x sfhassd
Jan 17 19:06:07 fpr-02 sudo: admin : TTY=ttyS0 ; PWD=/ ; USER=root ; COMMAND=/usr/bin/tail -f /ngfw/var/log/messages

Jan 17 19:06:09 fpr-02 SF-IMS[8503]: [8730] SFDataCorrelator:adi.subscriber [INFO] GRPC-Client Session Directory connects to host unix:///tmp/vdi.socket
Jan 17 19:06:18 fpr-02 SF-IMS[8503]: [8730] SFDataCorrelator:adi.subscriber [INFO] GRPC-Client Session Directory connects to host unix:///tmp/vdi.socket


Jan 17 19:06:29 fpr-02 SF-IMS[8503]: [8730] SFDataCorrelator:adi.subscriber [INFO] GRPC-Client Session Directory connects to host unix:///tmp/vdi.socket

 


Jan 17 19:06:38 fpr-02 SF-IMS[8503]: [8730] SFDataCorrelator:adi.subscriber [INFO] GRPC-Client Session Directory connects to host unix:///tmp/vdi.socket


Jan 17 19:06:49 fpr-02 SF-IMS[8503]: [8730] SFDataCorrelator:adi.subscriber [INFO] GRPC-Client Session Directory connects to host unix:///tmp/vdi.socket
Jan 17 19:07:00 fpr-02 SF-IMS[8503]: [8730] SFDataCorrelator:adi.subscriber [INFO] GRPC-Client Session Directory connects to host unix:///tmp/vdi.socket
Jan 17 19:07:09 fpr-02 SF-IMS[8503]: [8730] SFDataCorrelator:adi.subscriber [INFO] GRPC-Client Session Directory connects to host unix:///tmp/vdi.socket
Jan 17 19:07:11 fpr-02 sudo: root : PWD=/opt/cisco/csp/applications ; USER=root ; COMMAND=/usr/bin/pgrep -x snort
Jan 17 19:07:11 fpr-02 sudo: root : PWD=/opt/cisco/csp/applications ; USER=root ; COMMAND=/usr/bin/pgrep -x sfhassd
Jan 17 19:07:21 fpr-02 SF-IMS[8503]: [8730] SFDataCorrelator:adi.subscriber [INFO] GRPC-Client Session Directory connects to host unix:///tmp/vdi.socket
Jan 17 19:07:33 fpr-02 SF-IMS[8503]: [8730] SFDataCorrelator:adi.subscriber [INFO] GRPC-Client Session Directory connects to host unix:///tmp/vdi.socket
Jan 17 19:07:44 fpr-02 SF-IMS[8503]: [8730] SFDataCorrelator:adi.subscriber [INFO] GRPC-Client Session Directory connects to host unix:///tmp/vdi.socket
Jan 17 19:07:55 fpr-02 SF-IMS[8503]: [8730] SFDataCorrelator:adi.subscriber [INFO] GRPC-Client Session Directory connects to host unix:///tmp/vdi.socket
Jan 17 19:08:05 fpr-02 SF-IMS[8503]: [8730] SFDataCorrelator:adi.subscriber [INFO] GRPC-Client Session Directory connects to host unix:///tmp/vdi.socket
Jan 17 19:08:07 fpr-02 sudo: root : PWD=/opt/cisco/csp/applications ; USER=root ; COMMAND=/usr/bin/pgrep -x snort
Jan 17 19:08:07 fpr-02 sudo: root : PWD=/opt/cisco/csp/applications ; USER=root ; COMMAND=/usr/bin/pgrep -x sfhassd
Jan 17 19:08:13 fpr-02 SF-IMS[8503]: [8730] SFDataCorrelator:adi.subscriber [INFO] GRPC-Client Session Directory connects to host unix:///tmp/vdi.socket
Jan 17 19:08:23 fpr-02 SF-IMS[8503]: [8730] SFDataCorrelator:adi.subscriber [INFO] GRPC-Client Session Directory connects to host unix:///tmp/vdi.socket
Jan 17 19:08:34 fpr-02 SF-IMS[8503]: [8730] SFDataCorrelator:adi.subscriber [INFO] GRPC-Client Session Directory connects to host unix:///tmp/vdi.socket
Jan 17 19:08:46 fpr-02 SF-IMS[8503]: [8730] SFDataCorrelator:adi.subscriber [INFO] GRPC-Client Session Directory connects to host unix:///tmp/vdi.socket
Jan 17 19:08:55 fpr-02 SF-IMS[8503]: [8730] SFDataCorrelator:adi.subscriber [INFO] GRPC-Client Session Directory connects to host unix:///tmp/vdi.socket

Here is log 

Should i add from any to any allow to port 8305 is it unsafe? And should i close 8305 after registring?

 

@sherali mamatkarimov you have to leave tcp/8305 that is how the FMC and FTD communicate to deploy policy and send event logs etc. You could limit the communication on the FTD in front of the FMC to restrict communication to the FMC from known networks. The communication over tcp/8305 is encrypted.

i have opened 8305 port from anywhere to anywhere but still fails here is my netstat from FMC 

sheralimamatkarimov_0-1705518885123.png

And here from FTD 

sheralimamatkarimov_1-1705518920749.png

 

 

@sherali mamatkarimov you need to check the firewall logs of the FTD protecting the FMC and confirm traffic is or is not permitted. You can use the capture-traffic command and filter on tcp/8305 to confirm the communication.

there is not connections with port 8305 how can i permit it from CLI?

 

@sherali mamatkarimov You do not permit from the CLI. You define the manager on the CLI (as you already appear to have done) and then from the FMC you register the device and communication is established. Example - https://integratingit.wordpress.com/2018/10/20/ftd-registration-with-fmc/

Have you checked the firewall logs of the FTD in front of the FMC to confirm the traffic is being permitted?

 


@Rob Ingram  написал (-а):

@sherali mamatkarimovYou do not permit from the CLI. You define the manager on the CLI (as you already appear to have done) and then from the FMC you register the device and communication is established. Example - https://integratingit.wordpress.com/2018/10/20/ftd-registration-with-fmc/

Have you checked the firewall logs of the FTD in front of the FMC to confirm the traffic is being permitted?

 


In that case FTD and FMC are in one subnet, but in my case FMC remote and i cant see capture traffic as i am going to connect to FMC not by managment0 interface

@sherali mamatkarimov you can capture on the FTD traffic in front of the FMC (the firewall that is natting the traffic and permitting the connections), you can system support firewall-engine-debug as you would troubleshooting any other connection issue - https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212474-working-with-firepower-threat-defense-f.html

Or you can run tcpdump on the FMC, you can check the events in the FMC if you filter on the remote FTD.

what is interface you use to register FTD to FMC ?
Mgmt or OUTside data interface ?

MHM

Perfect 
are the FMC IP you use is behind NAT?
MHM

Yes FMC IP is behind NAT

> configure manager add DONTRESOLVE Cisco-123 nat123

then try this in FTD using key and NAT ID 
MHM 

Review Cisco Networking for a $25 gift card