Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1311
Views
1
Helpful
1
Replies

FTD: Unable to reach Cisco Cloud from the device

swscco001
Level 3
Level 3

‎03-08-2024 02:42 AM

Hello everybody,

our customer is using the FMC rel. 7.2.5.1 and a HA pair of two FTD4115 runng rel. 7.2.5.

Since the upgrade of the firewalls he get the following error message on both devices:

Threat Data Updates on Devices
Cisco Cloud Configuration - Unable to reach Cisco Cloud from the device. Please check the network connection. 

Data Update Status
Data Type	Status
URL Category and Reputation	Success
SI Network Lists and Feeds	Success
Cisco Support Diagnostics Configuration	Success
Local Malware Analysis Signatures	Success
SI URL Lists and Feeds	Success
URL Category and Reputation	Success
Threat Configuration	Success
SI DNS Lists and Feeds	Success
AMP Dynamic Analysis	Success
URL Category and Reputation Metadata	Success
Cisco Cloud Configuration	Unable to reach Cisco Cloud from the device. Please check the network connection.
SI SHA Lists (from TID)	Success

I logged in to the active firewall's CLI and took the following outputs:

> show ip
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
Port-channel1.3017       RZ01_INFRA_VN-Global   10.39.36.66     255.255.255.252 CONFIG
Port-channel1.3018       RZ01_CAMPUS_VN-Global  10.39.36.70     255.255.255.252 CONFIG
Port-channel1.3019       RZ01_SECURE_VN-Global  10.39.36.74     255.255.255.252 CONFIG
Port-channel1.3021       RZ02_INFRA_VN-Global   10.39.36.78     255.255.255.252 CONFIG
Port-channel1.3022       RZ02_CAMPUS_VN-Global  10.39.36.82     255.255.255.252 CONFIG
Port-channel1.3023       RZ02_SECURE_VN-Global  10.39.36.86     255.255.255.252 CONFIG
Port-channel2.3519       ACI                    10.39.16.182    255.255.255.240 CONFIG
Ethernet1/7              Stateful-Failover-Link 169.169.169.5   255.255.255.252 unset
Ethernet1/8              Failover-Link          169.169.169.1   255.255.255.252 unset
Current IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
Port-channel1.3017       RZ01_INFRA_VN-Global   10.39.36.66     255.255.255.252 CONFIG
Port-channel1.3018       RZ01_CAMPUS_VN-Global  10.39.36.70     255.255.255.252 CONFIG
Port-channel1.3019       RZ01_SECURE_VN-Global  10.39.36.74     255.255.255.252 CONFIG
Port-channel1.3021       RZ02_INFRA_VN-Global   10.39.36.78     255.255.255.252 CONFIG
Port-channel1.3022       RZ02_CAMPUS_VN-Global  10.39.36.82     255.255.255.252 CONFIG
Port-channel1.3023       RZ02_SECURE_VN-Global  10.39.36.86     255.255.255.252 CONFIG
Port-channel2.3519       ACI                    10.39.16.182    255.255.255.240 CONFIG
Ethernet1/7              Stateful-Failover-Link 169.169.169.5   255.255.255.252 unset
Ethernet1/8              Failover-Link          169.169.169.1   255.255.255.252 unset
################################################################################
> show network
===============[ System Information ]===============
Hostname                  : wde-ftd01.wolf.eu
Domains                   : wolf.eu
DNS Servers               : 10.41.2.21
                            10.41.2.22
DNS from router           : enabled
Management port           : 8305
IPv4 Default route
  Gateway                 : 10.41.7.254
  Netmask                 : 0.0.0.0


==================[ management0 ]===================
State                     : Enabled
Link                      : Up
Channels                  : Management & Events
Mode                      : Non-Autonegotiation
MDI/MDIX                  : Auto/MDIX
MTU                       : 1500
MAC Address               : C4:4D:84:80:3F:8F
----------------------[ IPv4 ]----------------------
Configuration             : Manual
Address                   : 10.41.7.31
Netmask                   : 255.255.255.0
Gateway                   : 10.41.7.254
----------------------[ IPv6 ]----------------------
Configuration             : Disabled

==================[ management1 ]===================
State                     : Disabled
Link                      : Down
Channels                  : Management & Events
Mode                      : Non-Autonegotiation
MDI/MDIX                  : Auto/MDIX
MTU                       : 9000
MAC Address               : C4:4D:84:80:3F:9F
----------------------[ IPv4 ]----------------------
Configuration             : Disabled
----------------------[ IPv6 ]----------------------
Configuration             : Disabled

===============[ Proxy Information ]================
State                     : Disabled
Authentication            : Disabled
###############################################################
> show route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route
       SI - Static InterVRF, BI - BGP InterVRF
Gateway of last resort is 10.39.16.177 to network 0.0.0.0

B*       0.0.0.0 0.0.0.0 [20/0] via 10.39.16.177, 1w5d
C        10.39.16.176 255.255.255.240 is directly connected, ACI
L        10.39.16.182 255.255.255.255 is directly connected, ACI
B        10.39.36.4 255.255.255.252 [20/0] via 10.39.36.69, 1w5d
B        10.39.36.8 255.255.255.252 [20/0] via 10.39.36.73, 1w5d
B        10.39.36.20 255.255.255.252 [20/0] via 10.39.36.69, 1w5d
B        10.39.36.24 255.255.255.252 [20/0] via 10.39.36.73, 1w5d
B        10.39.36.36 255.255.255.252 [20/0] via 10.39.36.69, 1w5d
B        10.39.36.40 255.255.255.252 [20/0] via 10.39.36.73, 1w5d
B        10.39.36.52 255.255.255.252 [20/0] via 10.39.36.69, 1w5d
B        10.39.36.56 255.255.255.252 [20/0] via 10.39.36.73, 1w5d
C        10.39.36.68 255.255.255.252
           is directly connected, RZ01_CAMPUS_VN-Global
L        10.39.36.70 255.255.255.255
           is directly connected, RZ01_CAMPUS_VN-Global
C        10.39.36.72 255.255.255.252
           is directly connected, RZ01_SECURE_VN-Global
L        10.39.36.74 255.255.255.255
           is directly connected, RZ01_SECURE_VN-Global
C        10.39.36.80 255.255.255.252
           is directly connected, RZ02_CAMPUS_VN-Global
L        10.39.36.82 255.255.255.255
           is directly connected, RZ02_CAMPUS_VN-Global
C        10.39.36.84 255.255.255.252
           is directly connected, RZ02_SECURE_VN-Global
L        10.39.36.86 255.255.255.255
           is directly connected, RZ02_SECURE_VN-Global
D        10.39.37.130 255.255.255.254
           [90/28416] via 10.39.36.81, 1w5d, RZ02_CAMPUS_VN-Global
           [90/28416] via 10.39.36.69, 1w5d, RZ01_CAMPUS_VN-Global
D        10.39.37.132 255.255.255.254
           [90/28416] via 10.39.36.85, 1w5d, RZ02_SECURE_VN-Global
           [90/28416] via 10.39.36.73, 1w5d, RZ01_SECURE_VN-Global
B        10.42.0.0 255.255.192.0 [20/0] via 10.39.36.69, 1w5d
B        10.42.64.0 255.255.254.0 [20/0] via 10.39.36.69, 1w5d
B        10.42.66.0 255.255.255.0 [20/0] via 10.39.36.69, 1w5d
B        10.42.70.0 255.255.254.0 [20/0] via 10.39.36.73, 1w5d
B        10.42.72.0 255.255.252.0 [20/0] via 10.39.36.73, 1w5d
B        10.42.76.0 255.255.252.0 [20/0] via 10.39.36.73, 1w5d
B        10.42.80.0 255.255.248.0 [20/0] via 10.39.36.73, 1w5d
B        10.42.88.0 255.255.255.0 [20/0] via 10.39.36.73, 1w5d
B        10.42.96.0 255.255.240.0 [20/0] via 10.39.36.73, 1w5d
B        10.45.3.0 255.255.255.0 [20/0] via 10.39.36.69, 1w5d
B        10.45.4.0 255.255.255.0 [20/0] via 10.39.36.69, 1w5d
B        10.45.5.0 255.255.255.0 [20/0] via 10.39.36.69, 1w5d
B        10.45.6.0 255.255.255.0 [20/0] via 10.39.36.69, 1w5d
B        10.45.8.0 255.255.255.0 [20/0] via 10.39.36.69, 1w5d
B        10.45.9.0 255.255.255.0 [20/0] via 10.39.36.69, 1w5d
B        10.45.10.0 255.255.255.0 [20/0] via 10.39.36.69, 1w5d
B        10.45.13.0 255.255.255.0 [20/0] via 10.39.36.69, 1w5d
B        10.45.14.0 255.255.255.0 [20/0] via 10.39.36.69, 1w5d
B        10.45.15.0 255.255.255.0 [20/0] via 10.39.36.69, 1w5d
B        10.45.16.0 255.255.255.0 [20/0] via 10.39.36.69, 1w5d
B        10.45.17.0 255.255.255.0 [20/0] via 10.39.36.69, 1w5d
B        10.45.18.0 255.255.255.0 [20/0] via 10.39.36.69, 1w5d
B        10.45.22.0 255.255.255.0 [20/0] via 10.39.36.69, 1w5d
B        10.45.23.0 255.255.255.0 [20/0] via 10.39.36.69, 1w5d
B        10.45.24.0 255.255.255.0 [20/0] via 10.39.36.69, 1w5d
B        10.45.50.0 255.255.255.0 [20/0] via 10.39.36.73, 1w5d
B        10.45.54.0 255.255.255.0 [20/0] via 10.39.36.73, 1w5d
B        10.45.72.0 255.255.252.0 [20/0] via 10.39.36.73, 1w5d
B        10.45.91.0 255.255.255.0 [20/0] via 10.39.36.73, 1w5d
B        10.45.94.0 255.255.254.0 [20/0] via 10.39.36.69, 1w5d
B        10.45.96.0 255.255.255.0 [20/0] via 10.39.36.73, 1w5d
B        10.45.97.0 255.255.255.0 [20/0] via 10.39.36.69, 1w5d
B        10.45.98.0 255.255.255.0 [20/0] via 10.39.36.73, 1w5d
B        10.46.0.0 255.255.255.0 [20/0] via 10.39.36.69, 1w5d
B        10.46.1.0 255.255.255.0 [20/0] via 10.39.36.69, 1w5d
B        10.46.10.0 255.255.255.0 [20/0] via 10.39.36.69, 1w5d
B        10.46.11.0 255.255.255.0 [20/0] via 10.39.36.69, 1w5d
B        10.46.12.0 255.255.255.0 [20/0] via 10.39.36.69, 1w5d
B        10.46.13.0 255.255.255.0 [20/0] via 10.39.36.69, 1w5d
B        10.46.50.0 255.255.255.0 [20/0] via 10.39.36.73, 1w5d
B        10.46.54.0 255.255.255.0 [20/0] via 10.39.36.73, 1w5d
B        10.46.94.0 255.255.255.0 [20/0] via 10.39.36.69, 1w5d
B        10.46.96.0 255.255.255.0 [20/0] via 10.39.36.73, 1w5d
B        10.46.98.0 255.255.255.0 [20/0] via 10.39.36.73, 1w5d
B        10.47.0.0 255.255.255.0 [20/0] via 10.39.36.69, 1w5d
B        10.47.1.0 255.255.255.0 [20/0] via 10.39.36.69, 1w5d
B        10.47.2.0 255.255.255.0 [20/0] via 10.39.36.69, 1w5d
B        10.47.3.0 255.255.255.0 [20/0] via 10.39.36.69, 1w5d
B        10.47.4.0 255.255.255.0 [20/0] via 10.39.36.69, 1w5d
B        10.47.5.0 255.255.255.0 [20/0] via 10.39.36.69, 1w5d
B        10.47.54.0 255.255.255.0 [20/0] via 10.39.36.73, 1w5d
B        10.47.92.0 255.255.255.0 [20/0] via 10.39.36.69, 1w5d
B        10.47.94.0 255.255.255.0 [20/0] via 10.39.36.69, 1w5d
B        10.47.96.0 255.255.255.0 [20/0] via 10.39.36.73, 1w5d
B        10.47.98.0 255.255.255.0 [20/0] via 10.39.36.73, 1w5d
C        169.169.169.0 255.255.255.252 is directly connected, Failover-Link
L        169.169.169.1 255.255.255.255 is directly connected, Failover-Link
C        169.169.169.4 255.255.255.252
           is directly connected, Stateful-Failover-Link
L        169.169.169.5 255.255.255.255
           is directly connected, Stateful-Failover-Link
B        192.168.69.0 255.255.255.0 [20/0] via 10.39.36.73, 1w5d
#############################################################
> show route management-only

Routing Table: mgmt-only
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route
       SI - Static InterVRF, BI - BGP InterVRF
Gateway of last resort is not set

From the management IF I can ping and traceroute tools.cisco.com:

> ping system tools.cisco.com
PING tools.cisco.com (72.163.4.38) 56(84) bytes of data.
64 bytes from tools1.cisco.com (72.163.4.38): icmp_seq=1 ttl=237 time=135 ms
64 bytes from tools1.cisco.com (72.163.4.38): icmp_seq=2 ttl=237 time=135 ms
64 bytes from tools1.cisco.com (72.163.4.38): icmp_seq=3 ttl=237 time=135 ms
^C
--- tools.cisco.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 3ms
rtt min/avg/max/mdev = 135.134/135.248/135.471/0.452 ms

##########################################################################

> traceroute system tools.cisco.com
traceroute to tools.cisco.com (173.37.145.8), 30 hops max, 60 byte packets
 1  10.41.7.249 (10.41.7.249)  0.403 ms  0.440 ms  0.542 ms
 2  10.41.1.201 (10.41.1.201)  0.315 ms  0.354 ms  0.374 ms
 3  93.122.70.66 (93.122.70.66)  0.479 ms  0.484 ms  0.492 ms
 4  10.190.170.145 (10.190.170.145)  2.972 ms  3.019 ms  3.020 ms
 5  10.13.192.175 (10.13.192.175)  8.014 ms  8.018 ms  8.105 ms
 6  10.13.192.174 (10.13.192.174)  7.892 ms  7.599 ms  7.595 ms
 7  80.157.206.49 (80.157.206.49)  8.881 ms  9.065 ms  9.343 ms
 8  217.5.67.134 (217.5.67.134)  8.429 ms  8.430 ms  8.537 ms
 9  * * *
10  * * *
11  * * *
12  port-channel6.core2.par3.he.net (184.104.196.231)  45.325 ms  45.349 ms  45.920 ms
13  * * *
14  * * *
15  * * *
16  cisco-systems.e0-22.switch4.dal1.he.net (216.66.79.74)  129.424 ms  129.449 ms  126.298 ms
17  128.107.4.9 (128.107.4.9)  126.154 ms  126.278 ms  126.474 ms
18  alln01-mda1-dmzbb-gw1-be91.cisco.com (173.36.112.190)  128.949 ms  128.929 ms  128.928 ms
19  alln01-mda1-dmzdcc-gw1-por1.cisco.com (173.36.112.130)  125.385 ms  125.437 ms  125.608 ms
20  alln01-mda2-fab1-sw3812-dmzdcc2uplink.cisco.com (173.36.113.230)  128.751 ms  128.968 ms alln01-mda2-fab1-sw3812-dmzdcc1uplink.cisco.com (173.36.113.222)  129.557 ms
21  * * *
22  * * *
23  hsrp-173-37-145-1.cisco.com (173.37.145.1)  125.448 ms  125.566 ms  125.414 ms
24  tools2.cisco.com (173.37.145.8)  128.288 ms  128.188 ms  128.269 ms

I wonder because the traffic goes to IP 10.41.7.249 and not to the configured gateway 10.41.7.254 (HSRP).

I think there is a routing issue here and not a DNS problem.

I have attached a couple of FMC screen dumps that show the Health Monitor and DNS configuration in the 
Platform Settings.

Do you have any idea what I could try to get rid of this error message?

Thanks a lot for every hint!

 

Bye
R.

1 person had this problem
Preview file
257 KB
0 Helpful
1 Reply 1

Max Jobs
Level 1
Level 1

‎03-08-2024 02:47 AM

Hi R (If this cover your name!),

It seems like there's a routing issue rather than a DNS problem. The traffic is directed to 10.41.7.249 instead of the configured gateway 10.41.7.254 (HSRP). Also, verify any routing protocols or static routes that might affect traffic flow.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card