Solved: Re: FTD: Unable to reach FQDNs in the Internet

swscco001 · ‎12-10-2024

Hello everybody,

our customer has 1 cluster of two Firepower 1120 running rel. 7.4.2.1
managed by the FMCv running rel. 7.4.2.1 too.

The Health Monitor shows the error message:
Cisco Cloud Configuration - Unable to reach Cisco Cloud from the device. Please check the network connection..
for both devices.

The firewalls can resolve FQDNs in th Internet:

admin@firepower:~$ nslookup api-sse.cisco.com
Server:         192.168.100.25
Address:        192.168.100.25#53

Non-authoritative answer:
api-sse.cisco.com       canonical name = api-sse.cisco.com.akadns.net.
Name:   api-sse.cisco.com.akadns.net
Address: 54.166.161.63
Name:   api-sse.cisco.com.akadns.net
Address: 3.82.76.181
Name:   api-sse.cisco.com.akadns.net
Address: 2600:1f18:56c:200a:48c5:ffc1:9e69:b18a
Name:   api-sse.cisco.com.akadns.net
Address: 2600:1f18:56c:200b:d1e:17aa:513b:e947

It can ping IP addresses in the Internet:

> ping 8.8.8.8
Please use 'CTRL+C' to cancel/abort...
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

But when I try to ping FQDNs in the Internet the ping responds with "U" (unreachable):

> ping intelligence.sourcefire.com
Please use 'CTRL+C' to cancel/abort...
Sending 5, 100-byte ICMP Echos to 2620:28:c000:0:aba:ca:daba:58, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)

> ping www.google.com
Please use 'CTRL+C' to cancel/abort...
Sending 5, 100-byte ICMP Echos to 2a00:1450:4016:80c::2004, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)

What is going wrong here?

Every hint is welcome.

Thanks a lot!

Bye
Rene

Rob Ingram · ‎12-11-2024

@swscco001 "show network" is showing information related to the mgmt interface (not the data interface). You are pinging from the data interface. If you have the mgmt interface connected, you run a ping using the command "ping system <fqdn>".

So are you saying you do have a Platform Setting policy that is applied to this FTD? Can the FTD reach the DNS server 192.168.100.25 via it's data interface?

View solution in original post

MHM Cisco World · ‎12-10-2024

Show network <<- in ftd' check dns server you add

Remember this dns not for user traffic it for ftd.

MHM

Rob Ingram · ‎12-10-2024

@swscco001 you are pinging from the data interface, have you configured the DNS servers in the Platform Settings Policy which is assigned to that FTD cluster? https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/740/management-center-device-config-74/interfaces-settings-platform.html#id_74914

swscco001 · ‎12-11-2024

Hi Rob,

thanks for your reply!

Every other customer get the error message of missing access of the firewalls to the
Cisco cloud

I followed the Cisco guide:
https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/217616-troubleshoot-cisco-cloud-configuration.html

I used the DNS server 192.168.100.25 that I found in the Platform Settings of the FMC
for the configuration of the network of the Firewall CLI.

> show network
===============[ System Information ]===============
Hostname                  : firepower
DNS Servers               : 8.8.8.8
                            192.168.100.25
                            208.68.222.222
DNS from router           : disabled
Management port           : 8305
IPv4 Default route
  Gateway                 : 192.168.18.254
...

This was used when I try a nslookup:

dmin@firepower:~$ nslookup api-sse.cisco.com
Server:         192.168.100.25
Address:        192.168.100.25#53

Non-authoritative answer:
api-sse.cisco.com       canonical name = api-sse.cisco.com.akadns.net.
Name:   api-sse.cisco.com.akadns.net
Address: 54.166.161.63
Name:   api-sse.cisco.com.akadns.net
Address: 3.82.76.181
Name:   api-sse.cisco.com.akadns.net
Address: 2600:1f18:56c:200a:48c5:ffc1:9e69:b18a
Name:   api-sse.cisco.com.akadns.net
Address: 2600:1f18:56c:200b:d1e:17aa:513b:e947

I can ping IP-Adresses in the Internet:

> ping 208.67.222.222
Please use 'CTRL+C' to cancel/abort...
Sending 5, 100-byte ICMP Echos to 208.67.222.222, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/12/20 ms

But at FQDNs I get back "U" (unreachable), and no ".":

> ping api-sse.cisco.com
Please use 'CTRL+C' to cancel/abort...
Sending 5, 100-byte ICMP Echos to 2600:1f18:56c:200b:d1e:17aa:513b:e947, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)

> ping www.google.com
Please use 'CTRL+C' to cancel/abort...
Sending 5, 100-byte ICMP Echos to 2a00:1450:4016:80c::2004, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)

This is hard to understand.

Do you have any explanation?

Thanks a lot!

Bye
R.

Rob Ingram · ‎12-11-2024

@swscco001 "show network" is showing information related to the mgmt interface (not the data interface). You are pinging from the data interface. If you have the mgmt interface connected, you run a ping using the command "ping system <fqdn>".

So are you saying you do have a Platform Setting policy that is applied to this FTD? Can the FTD reach the DNS server 192.168.100.25 via it's data interface?

swscco001 · ‎12-11-2024

Hi Rob,

with your hints I could bring the traffic from the management-IF through a firewall to the Internet and the error message in the FMC disappeared.

Thanks a lot!

Bye
R.

MHM Cisco World · ‎12-11-2024

what was problem ? and what is solution?
it seem that the DNS is missing from mgmt interface, or I am wrong ?

MHM