How does ftd add static routes in ctl and configure priorities?

Translator · ‎06-10-2022

My ftd can't connect to fmc because of routing reasons, now I need to add a static route and make the configuration priority higher than ospf

Translator · ‎06-12-2022

configuration network static-routes

to add or remove static routes, use the configuration network static-routes command.

configuration network static-routes { ipv4 | ipv6 { add interface destiny netmask_or_prefix gateway | delete}

Syntax Description

add	Ads a static route for the management interface.
delete	Remove a static route for the management interface. You are proformed to choose which route to delete.
interface	The ID of the management interface. Use the show network command to view the Management interface ID for your model.
ipv4	Ads or deletes a static route for the IPv4 management address.
ipv6	Ads or deletes a static route for the IPv6 management address.
destiny	The deployment IP address to add or remove, in IPv4 or IPv6 format as an appliance. For example, 10.100.10.10 or 2001:db8::201.
netmask_or_prefix	The network address mask for IPv4, or prefix for IPv6. The IPv4 netmask must be in a numbered presentation, for example, 255.255.255.0. The IPv6 prefix is a standard prefix number, sum as 96.
gateway	The gateway address to add or remove, in IPv4 or IPv6 format as an appliance.

Command History

ReleaseRegistration

6.0.1

This command was introduced.

Example:

configuration network static-routes ipv4 add eth0 192.168.10.0 255.255.255.0 192.168.1.1

https://www.cisco.com/c/en/us/td/docs/security/firepower/command_ref/b_Command_Reference_for_Firepower_Threat_Defense/c_3.html#wp2268306860

Add static route on Firepower module:

https://community.cisco.com/t5/security-documents/add-static-route-on-firepower-module/ta-p/3156256

Combined with OSPF, the AD is small and the default value is 1, so there is no need to modify it.

Not sure if it's right or not, you can try it, hope it works

Marius Gunnerud · ‎06-12-2022

I am assuming you have your management interface default gateway via a data interface on the FTD and it is the data interface which is having the routing issue?

If so here is the solotion. Remember that you must correct the static route issue in the GUI once you have connectivity again as a new policy deploy will overwrite this solution. You also need to have access the the FTD CLI and are able to access root privileges. You dont need to go into the /ngfw/var/sf/bin directory but I like going there as this is where the script is located. Hope this helps.

>expert

# sudo su -

root# cd /ngfw/var/sf/bin

root# LinaConfigTool "route DMZ 1092.168.1.0 255.255.255.0 192.168.2.1";

--
Please remember to select a correct answer and rate helpful posts

Translator · ‎06-13-2022

Excuse me, does the DMZ in "route DMZ" refer to the area to which the routing interface belongs, or is it a custom nickname field?

Marius Gunnerud · ‎06-13-2022

This is basic ASA / FTD CLI routing configuration, so DMZ reders to the interface that the subnet is reachable through.

--
Please remember to select a correct answer and rate helpful posts

Translator · ‎06-16-2022

I've deployed OSPF to let the device learn how to route to FMC, but why the device still shows disabled status and cannot be managed.

Marius Gunnerud · ‎06-19-2022

Are you able to ping the FTD from the FMC? can you telnet from FMC CLI to the FTD on port tcp/8305. Remember also that you need to allow traffic from the FTD to the FMC on port tcp/8305 if this management traffic is passing through another firewall.

--
Please remember to select a correct answer and rate helpful posts

Translator · ‎06-19-2022

My two ftdCan't ping fmc ftd-b or ping fmc A-B between ha ftd-A. But B can be managed by FMC. ... The problem has not been found, FTD-A and B are the same configuration.

Marius Gunnerud · ‎06-21-2022

could you provide a network diagram? that shows the IPs and how these devices are connected to the network and their relation to eachother.

When you ping from the FTD you will be pinging from the data interfaces so if this traffic is not allowed in access rules the traffic is not permitted. so a better test would be ping from FMC.

So, what is between the FTDs and the FMC? a router, another firewall, or are they on the same subnet (doubtful as this started out as a routing question)?

Since FTD B can be managed the issue is most likely not routing. What is the management IP you have given FTD A? You said that A and B have the same configuration, does that mean you gave FTD A the same IP as you configured on B? If so then this is your problem. FTD A needs a separate IP.

If there are any firewalls or access lists in the path between the FMC and FTD A and B then you need to also check if the traffic is allowed towards FTD A.

--
Please remember to select a correct answer and rate helpful posts

Translator · ‎06-22-2022

I use the ping prompt on fmc: ping: icmp open socket: Operation not operated

My Network Topology

FTD_A

FTD-A

> show network
===============[ System Information ] ===============
Hostname: ASCHZXS-12F-JF-A02-FW-2110-01
DNS servers: 172.169.18.8
management port: 8305
IPv4 Default route
Gateway: 172.17.3.254

==================[ management0 ] ===================
State: Enabled
Channels: Management & Events
Mod: Non-Automation
MDI/MDIX: Auto/MDIX
MTU: 1500
MAC address: CC:7F:76:B1:73:80
—[ IPv4 ] —
Configuration: Manuel
Address: 172.17.2.10
Netmask: 255.255.254.0
Broadcast: 172.17.3.255
—[ IPv6 ] —
Configuration: Disabled

===============[ Proxy Information ] ================
State: Disabled
Authentication: Disabled

>?

> show route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - cancel date default, U - per-user static route
o - ODR, P - periodic downloadestatic route, + - reregistered route
Gateway of last resort is 172.17.10.65 to network 0.0.0.0

O*E1 0.0.0.0 0.0.0.0 [110/1010] via 172.17.10.65, 2w6d, TO_RT01_OUTSIDE-1
C 1.1.1.0 255.255.255.252 is directionally connected, failover_link
L 1.1.1.1 255.255.255.255 is directionally connected, failover_link
C 2.2.2.0 255.255.255.252 is directionally connected, state_link
L 2.2.2.1 255.255.255.255 is directionally connected, state_link
O E2 172.16.1.0 255.255.255.0
[110/1] via 172.17.10.83, 6d16h, TO_HXSW01_INSIDE-1
O E2 172.16.2.0 255.255.255.0
[110/1] via 172.17.10.83, 6d16h, TO_HXSW01_INSIDE-1
O E2 172.16.3.0 255.255.255.0
[110/1] via 172.17.10.83, 6d16h, TO_HXSW01_INSIDE-1
O E2 172.16.20.0 255.255.255.0
[110/1] via 172.17.10.83, 5d17h, TO_HXSW01_INSIDE-1
O E2 172.16.255.0 255.255.255.0
[110/1] via 172.17.10.83, 5d17h, TO_HXSW01_INSIDE-1
O IA 172.17.0.0 255.255.248.0
[110/20] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
C 172.17.7.0 255.255.255.248 is directionally connected, SHAOXING_DMZ_LM_IDS
L 172.17.7.2 255.255.255.255 is directionally connected, SHAOXING_DMZ_LM_IDS
O E1 172.17.8.0 255.255.255.0
[110/21] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O IA 172.17.10.0 255.255.255.224
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
C 172.17.10.64 255.255.255.248 is directionally connected, TO_RT01_OUTSIDE-1
L 172.17.10.67 255.255.255.255 is directionally connected, TO_RT01_OUTSIDE-1
C 172.17.10.72 255.255.255.248 is directionally connected, TO_RT02_OUTSIDE-2
L 172.17.10.75 255.255.255.255 is directionally connected, TO_RT02_OUTSIDE-2
C 172.17.10.80 255.255.255.248
is directionally connected, TO_HXSW01_INSIDE-1
L 172.17.10.82 255.255.255.255
is directionally connected, TO_HXSW01_INSIDE-1
C 172.17.10.88 255.255.255.248
is directionally connected, TO_HXSW02_INSIDE-2
L 172.17.10.90 255.255.255.255
is directionally connected, TO_HXSW02_INSIDE-2
O 172.17.10.96 255.255.255.252
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O IA 172.17.11.0 255.255.255.0
[110/12] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O IA 172.17.20.0 255.255.255.0
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O 172.17.255.1 255.255.255.255
[110/11] via 172.17.10.65, 2w6d, TO_RT01_OUTSIDE-1
O 172.17.255.2 255.255.255.255
[110/16] via 172.17.10.73, 2w6d, TO_RT02_OUTSIDE-2
O 172.17.255.5 255.255.255.255
[110/10] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O 172.17.255.6 255.255.255.255
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O E2 172.31.0.0 255.255.0.0
[110/1] via 172.17.10.83, 6d16h, TO_HXSW01_INSIDE-1
O IA 172.169.10.0 255.255.255.0
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O IA 172.169.18.0 255.255.255.0
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O IA 172.169.253.0 255.255.255.0
[110/12] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O IA 192.168.168.0 255.255.255.0
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O E2 198.18.1.4 255.255.255.252
[110/1] via 172.17.10.83, 6d16h, TO_HXSW01_INSIDE-1
O 198.18.1.8 255.255.255.252
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1

>?

> show interface ip brief
Interface IP-Address OK? Method Status Protocol
Internal-Data0/1 unregistered YES unset up
Ethernet1/1 172.17.10.67 YES CONFIG up
Ethernet1/2 172.17.10.75 YES CONFIG up
Ethernet1/3 172.17.10.82 YES CONFIG up
Ethernet1/4 172.17.10.90 YES CONFIG up
Ethernet1/5 172.17.7.2 YES CONFIG up
Ethernet1/6 172.17.7.10 YES CONFIG down down down
Ethernet1/7 172.17.7.18 YES CONFIG down down down
Etherenet1/8 unsigned YES unset admin down down
Ethernet1/9 unsigned YES unset admin down down
Ethernet1/10 unsigned YES unset admin down down
Ethernet1/11 1.1.1.1 YES unset up up
Ethernet1/12 2.2.2.1 YES unset up up
Ethernet1/13 unsigned YES unset admin down down
Ethernet1/14 unsigned YES unset admin down down
Ethernet1/15 unsigned YES unset admin down down
Ethernet1/16 unsigned YES unset admin down down
Internal-Control1/1 unregistered YES unset up
Internal-Data1/1 169.254.1.1 YES unset up up
Internal-Data1/2 unsigned YES unset up
Management1/1 unsigned YES unset up
>?

> show tailor state

State Last Failure Response Date/Time
This host - Primary
Stanby Ready None
Other host - Second
Active None

====Configuration State===
Sync Done - STANBY
====Communication State===
Mac Set

>?

FTD-B

> show network
===============[ System Information ] ===============
Hostname: firepower
DNS servers: 172.169.18.8
management port: 8305
IPv4 Default route
Gateway: 172.17.3.254

==================[ management0 ] ===================
State: Enabled
Channels: Management & Events
Mod: Non-Automation
MDI/MDIX: Auto/MDIX
MTU: 1500
MAC address: AC:3A:67:52:57:80
—[ IPv4 ] —
Configuration: Manuel
Address: 172.17.2.11
Netmask: 255.255.254.0
Broadcast: 172.17.3.255
—[ IPv6 ] —
Configuration: Disabled

===============[ Proxy Information ] ================
State: Disabled
Authentication: Disabled

> show interface ip brief
Interface IP-Address OK? Method Status Protocol
Internal-Data0/1 unregistered YES unset up
Ethernet1/1 172.17.10.66 YES CONFIG up
Ethernet1/2 172.17.10.74 YES CONFIG up
Ethernet1/3 172.17.10.81 YES CONFIG up
Ethernet1/4 172.17.10.89 YES CONFIG up
Ethernet1/5 172.17.7.1 YES CONFIG up
Ethernet1/6 172.17.7.9 YES CONFIG down down down
Ethernet1/7 172.17.7.17 YES CONFIG down down down
Etherenet1/8 unsigned YES unset admin down down
Ethernet1/9 unsigned YES unset admin down down
Ethernet1/10 unsigned YES unset admin down down
Ethernet1/11 1.1.1.2 YES unset up up
Ethernet1/12 2.2.2.2 YES unset up up
Ethernet1/13 unsigned YES unset admin down down
Ethernet1/14 unsigned YES unset admin down down
Ethernet1/15 unsigned YES unset admin down down
Ethernet1/16 unsigned YES unset admin down down
Internal-Control1/1 unregistered YES unset up
Internal-Data1/1 169.254.1.1 YES unset up up
Internal-Data1/2 unsigned YES unset up
Management1/1 unsigned YES unset up

> show route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - cancel date default, U - per-user static route
o - ODR, P - periodic downloadestatic route, + - reregistered route
Gateway of last resort is 172.17.10.65 to network 0.0.0.0

O*E1 0.0.0.0 0.0.0.0 [110/1010] via 172.17.10.65, 2w6d, TO_RT01_OUTSIDE-1
C 1.1.1.0 255.255.255.252 is directionally connected, failover_link
L 1.1.1.2 255.255.255.255 is directionally connected, failover_link
C 2.2.2.0 255.255.255.252 is directionally connected, state_link
L 2.2.2.2 255.255.255.255 is directionally connected, state_link
O E2 172.16.1.0 255.255.255.0
[110/1] via 172.17.10.83, 6d16h, TO_HXSW01_INSIDE-1
O E2 172.16.2.0 255.255.255.0
[110/1] via 172.17.10.83, 6d16h, TO_HXSW01_INSIDE-1
O E2 172.16.3.0 255.255.255.0
[110/1] via 172.17.10.83, 6d16h, TO_HXSW01_INSIDE-1
O E2 172.16.20.0 255.255.255.0
[110/1] via 172.17.10.83, 5d17h, TO_HXSW01_INSIDE-1
O E2 172.16.255.0 255.255.255.0
[110/1] via 172.17.10.83, 5d17h, TO_HXSW01_INSIDE-1
O IA 172.17.0.0 255.255.248.0
[110/20] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
C 172.17.7.0 255.255.255.248 is directionally connected, SHAOXING_DMZ_LM_IDS
L 172.17.7.1 255.255.255.255 is directionally connected, SHAOXING_DMZ_LM_IDS
O E1 172.17.8.0 255.255.255.0
[110/21] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O IA 172.17.10.0 255.255.255.224
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
C 172.17.10.64 255.255.255.248 is directionally connected, TO_RT01_OUTSIDE-1
L 172.17.10.66 255.255.255.255 is directionally connected, TO_RT01_OUTSIDE-1
C 172.17.10.72 255.255.255.248 is directionally connected, TO_RT02_OUTSIDE-2
L 172.17.10.74 255.255.255.255 is directionally connected, TO_RT02_OUTSIDE-2
C 172.17.10.80 255.255.255.248
is directionally connected, TO_HXSW01_INSIDE-1
L 172.17.10.81 255.255.255.255
is directionally connected, TO_HXSW01_INSIDE-1
C 172.17.10.88 255.255.255.248
is directionally connected, TO_HXSW02_INSIDE-2
L 172.17.10.89 255.255.255.255
is directionally connected, TO_HXSW02_INSIDE-2
O 172.17.10.96 255.255.255.252
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O IA 172.17.11.0 255.255.255.0
[110/12] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O IA 172.17.20.0 255.255.255.0
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O 172.17.255.1 255.255.255.255
[110/11] via 172.17.10.65, 2w6d, TO_RT01_OUTSIDE-1
O 172.17.255.2 255.255.255.255
[110/16] via 172.17.10.73, 2w6d, TO_RT02_OUTSIDE-2
O 172.17.255.5 255.255.255.255
[110/10] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O 172.17.255.6 255.255.255.255
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O E2 172.31.0.0 255.255.0.0
[110/1] via 172.17.10.83, 6d16h, TO_HXSW01_INSIDE-1
O IA 172.169.10.0 255.255.255.0
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O IA 172.169.18.0 255.255.255.0
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O IA 172.169.253.0 255.255.255.0
[110/12] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O IA 192.168.168.0 255.255.255.0
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O E2 198.18.1.4 255.255.255.252
[110/1] via 172.17.10.83, 6d16h, TO_HXSW01_INSIDE-1
O 198.18.1.8 255.255.255.252
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1

> show tailor
descriptor exec history interface state statistics |

> show tailor state

State Last Failure Response Date/Time
This host - Second
Active None
Other host - Primary
Stanby Ready Comm Failure 09:58:15 UTC Jun 1 2022

====Configuration State===
sync done
====Communication State===
Mac Set

>?

Marius Gunnerud · ‎06-22-2022

to ping from the FMC you need to be the root user, so you need to log into cli, enter expert mode and then sudo su -

could you issue the command show managers on both FTD?

--
Please remember to select a correct answer and rate helpful posts

Translator · ‎06-23-2022

FTD-A 172.17.2.10
> show managers
Type: Manager
Host: 172.16.1.31
Registration: Completed

>
?FTD-A 172.17.2.11 (managed side events)
> show managers
Type: Manager
Host: 172.16.1.31
Registration: Completed

>
?

FMC-SSH

Last login: Fri Jun 24 04:46:39 2022 from 172.17.3.68

Copright 2004-2020, Cisco and/or its affairs. All rights reserved.
Cisco is a registered trader of Cisco Systems, Inc.
All other travels are property of their responsive officers.

Cisco Fire Linux OS v6.4.0 (build 2)
Cisco Firepower Management Center for VMWare v6.4.0.7 (build 53)

>

Configure Change to Configure mode
exit exit this CLI session
excel Invokable a shell
show Change to Show Mode
system change to system mode

> excert
admin@ASCHZXS-12F-JF-A02-CISCO-FMC-01:~$ ping 172.17.2.10
Ping: icmp open socket: Operation not operated
admin@ASCHZXS-12F-JF-A02-CISCO-FMC-01:~$

?

Marius Gunnerud · ‎06-26-2022

to issue a ping from the FMC you need to have root privileges, (sudo su -)

But as per the output of show managers the FMC has successfully registered with the FTD device.

--
Please remember to select a correct answer and rate helpful posts

Translator · ‎06-26-2022

However, the FMC shows that the FTD is disabled and cannot be managed.

I would like to try to make a any any configuration on FTD-CLI to see if the FTD-A is unable to connect to the FMC due to policy reasons, and how to write such a policy under the CLI and save it to take effect.

Translator · ‎06-26-2022

Since I was the post-docking device, the FTD was disconnected in November 2021.

Or how I should seek remote technical support.