Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
664
Views
1
Helpful
3
Replies

FTD3K lost connectivity to cdFMC after upgrade from 7.2.4. to 7.3.1

Go to solution
dardou1814
Level 1
Level 1

‎06-13-2023 12:51 AM

Hello everyone,

After upgrading to 7.3.1, FMC lost connectivity to FTD.

The FW is upgraded: "Cisco Secure Firewall 3130 Threat Defense (80) Version 7.3.1 (Build 19)"

The manager is shown as configured:

Registration              : Completed

Management type           : Configuration

However, after entering the following cmd:  sudo tail -f /etc/sf/sftunnel.conf

peers_registered

{

}

peers_pending

{

}

peers_routed

{

}

The sftunnel config seems to have wiped out.

Can I simply initiate a "configure manager delete <ID>" and re-join it to FMC "configure manager add <etc...>"?

I am not 100% sure regarding the consequences of these commands... Would it reset factory the device? or is it safe?

Thanks.

BR

Dardan.

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
dardou1814
Level 1
Level 1

‎06-13-2023 05:51 AM

Thanks for your reply.

Actually, we managed to "resolve" the issue by adding our peer "****.cdo.cisco.com" in host file. It regained connectivity. It's only a workaround. We will see what TAC say.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Marius Gunnerud
VIP
VIP

‎06-13-2023 03:31 AM

Be careful when issuing the command configure manager delete.  This command in itself does not do anything to the configuration of the device.  you will still have configuration on it and it will still pass traffic.  When you remove the device from management interface configuration, as seen in the FMC is removed and therefore all configuration that references interface names will also be removed.  So, work that will need to be done once you re-add the device is to associate the interfaces with their respective security zones and security groups, configure all static routing (I am unsure of dynamic routing but assume you have to reconfigure this also), as well as any VPN configuration that references the device interfaces.  You will also need to associate the ACP policy, NAT policy, flexconfig policy, Health policy, etc. with the device.

When adding it back the FMC will do a discovery and "should" fetch the interface configuration that is on the FTD device so you should not need to configure this again, but make sure to take note of this configuration as well as any other configuration that I mentioned above and possible more.

In summary, I suggest that if you do remove the device from management with the intention of adding it back, be prepared to have to manually configure the device from scratch, with the exception of policies.  So be sure to make note of preshared keys, routing, and security zone / security group associations at the very least.

--
Please remember to select a correct answer and rate helpful posts

Go to solution
dardou1814
Level 1
Level 1

‎06-13-2023 05:51 AM

Thanks for your reply.

Actually, we managed to "resolve" the issue by adding our peer "****.cdo.cisco.com" in host file. It regained connectivity. It's only a workaround. We will see what TAC say.

0 Helpful

Go to solution
buchanan.peter
Level 1
Level 1
In response to dardou1814

‎12-07-2023 09:23 AM

Hello @dardou1814 

did TAC ever feedback anything useful on the root cause of this issue for you? 

many thanks in advance

Peter

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card