cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5629
Views
15
Helpful
29
Replies

How does ftd add static routes in ctl and configure priorities?

Translator
Community Manager
Community Manager

My ftd can't connect to fmc because of routing reasons, now I need to add a static route and make the configuration priority higher than ospf

29 Replies 29

Does the management traffic for the FTDs pass through FTD-B ?  If yes, instead of an any any rule right now, I suggest doing a packet tracer first. One with source of FMC and destination of FTD mgmt IP and destination port of tcp/8305.  Then also in the reverse direction FTD mgmt IP to FMC with destination port of tcp/8305.

If you are looking for technical support I suggest contacting your local Cisco partner, or if you are able to open a TAC case directly then you can do so.

--
Please remember to select a correct answer and rate helpful posts

Please look at the data I replied to below

Please read my last post and provide the requested information

--
Please remember to select a correct answer and rate helpful posts

root@ASCHZXS-12F-JF-A02-CISCO-FMC-01:/Volume/home/admin# telnet 172.17.2.10 8305
Trying 172.17.2.10...
Connected to 172.17.2.10.
Escape character is '^]'.
^C
^CConnection closed by foreign host.
root@ASCHZXS-12F-JF-A02-CISCO-FMC-01:/Volume/home/admin# telnet 172.17.2.11 8305
Trying 172.17.2.11...
telnet: connect to address 172.17.2.11: Connection refused
root@ASCHZXS-12F-JF-A02-CISCO-FMC-01:/Volume/home/admin#

 

 

 

172.17.2.10 is a FTD_A that I can't manage right now 

172.17.2.11 is the FTD_B I can manage today

 

 

Here is FTD-A Request FMC (172.16.1.31) 8305 

root@ASCHZXS-12F-JF-A02-FW-2110-01:/home/admin# telnet 172.16.1.31 8305
Trying 172.16.1.31...
Connected to 172.16.1.31.
Escape character is '^]'.
^C^C^CConnection closed by foreign host.
root@ASCHZXS-12F-JF-A02-FW-2110-01:/home/admin#

 

 

 

 

 

 

 

root@ASCHZXS-12F-JF-A02-CISCO-FMC-01:/Volume/home/admin# ping 172.16.2.251
PING 172.16.2.251 (172.16.2.251) 56 (84) bytes of data.
64 bytes from 172.16.2.251: icmp_req=1 ttl=63 time=0.266 ms
64 bytes from 172.16.2.251: icmp_req=2 ttl=63 time=0.236 ms
^C
— 172.16.2.251 ping statistics —
2 packets transmited, 2 received, 0% packet loss, time 1032ms
rtt min/avg/max/mdev = 0.236/0.251/0.266/0.015 ms
root@ASCHZXS-12F-JF-A02-CISCO-FMC-01:/Volume/home/admin# ping 172.17.2.10
PING 172.17.2.10 (172.17.2.10) 56 (84) bytes of data.
64 bytes from 172.17.2.10: icmp_req=1 ttl=60 time=7.89 ms
64 bytes from 172.17.2.10: icmp_req=2 ttl=60 time=7.90 ms
64 bytes from 172.17.2.10: icmp_req=3 ttl=60 time=7.93 ms
^C
— 172.17.2.10 ping statistics —
3 packets transmited, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 7.891/7.907/7.932/0.104 ms
root@ASCHZXS-12F-JF-A02-CISCO-FMC-01:/Volume/home/admin# ping 172.17.2.11
PING 172.17.2.11 (172.17.2.11) 56 (84) bytes of data.
64 bytes from 172.17.2.11: icmp_req=1 ttl=60 time=8.18 ms
64 bytes from 172.17.2.11: icmp_req=2 ttl=60 time=8.08 ms
64 bytes from 172.17.2.11: icmp_req=3 ttl=60 time=7.91 ms
^C
— 172.17.2.11 ping statistics —
3 packets transmited, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 7.916/8.062/8.183/0.110 ms

 

I've tried in fmc ping  FTD  Three are available but only 172.17.2.10 display is disabled.

FMC 172.16.1.31FMC 172.16.1.31FMC 172.16.1.31FTD-B 172.17.2.11FTD-B 172.17.2.11FTD-B 172.17.2.11FTD-SX 172.16.2.251FTD-SX 172.16.2.251FTD-SX 172.16.2.251FTD-A 172.17.2.10FTD-A 172.17.2.10FTD-A 172.17.2.10

The FTD devices reach out to the FMC out of their management ports. It could be that the FTD-A is not configured with the right gateway? you can check that with the command "show network" from the > mode (CLISH mode) on the FTD. If the gateway is correct, it could be related to some firewall in the middle between the FTD devices and the FMC? if you have a firewall, that firewall should allow the FTD traffic between the FTD and the FMC on port 8305/tcp, that is bidirectional, from the FTD to the FMC and vice-versa.

How to use the command to add an any any policy on a FTD that cannot be controlled by FMC

You need to identify the route that management traffic is taking between FMC and FTD.

Are the two FTDs in HA pair?

Is management traffic being routed through a data interface on the FTD that is having issues?

Or, is traffic being routed through the other FTD that is not having issues?

can you ping the FTD from 172.17.3.254 to 172.17.2.10 (the gateway that mgmt traffic is using)?

You can add an ACL entry using the commands I posted earlier, just change the configuration from routing to access-list.  If this solves the issue you will need to add the correct access rule in the FMC before you deploy or the configuration will be overwritten.

 

 

--
Please remember to select a correct answer and rate helpful posts

1. I can use the gateway on my core switch to ping ftd-A or FMC
Ping -a 172.17.3.254 172.17.2.10

Ping -a 172.17.3.254 172.16.1.31


2. Whether forcing a refresh of the HA status will cause such effects as a device reboot.
How to Manually Refresh on the FTD CLI to Detect the Availability of HA Status.


FTD-A
ping system 172.16.1.31 (FMC) OK
FTD-B
ping system 172.16.1.31 (FMC) OK



FTD-A
ping tcp 172.16.1.31 8305 No Response

FTD-B
ping tcp 172.16.1.31 8305 No Response


FMC (172.16.1.31) ping FTD-A -B (172.17.2.10, 172.17.2.11) returns normally.

Route to FTD-A at FMC (198.18.1.x is cloud networking between offsite locations)
Trace FTD-B Same Return
root@ASCHZXS-12F-JF-A02-CISCO-FMC-01:/Volume/home/admin# traceroute 172.17.2.10
traceroute to 172.17.2.10(172.17.2.10), 30 hops max, 60 byte packets
1 172.16.1.254(172.16.1.254)4.343 ms 4.434 ms 4.517 ms
2 198.18.1.6(198.18.1.6)4.600 ms 4.888 ms 4.888 ms
3 198.18.1.10(198.18.1.10)12.494 ms 12.221 ms 8.420 ms
4 198.18.1.9(198.18.1.9)20.827 ms 21.201 ms 13.168 ms
5 * * * *
6 * * * *
7 * * * *
8 * * * *
9 * * * *
10 * * * *
11 * * * *
12 * * * *
13 * * * *
14 * * * *
15 * * * *
16 * * * *
17 * * * *
18 * * * *
19 * * * *
20 * * * *
21 * * * *
22 * * * *
23 * * * *
24 * * * *
25 * * * *
26 * * * *
27 * * * *
28 * * * *
29 * * * *
30 * * * *
root@ASCHZXS-12F-JF-A02-CISCO-FMC-01:/Volume/home/admin#

It seems that the 172.16.1.254 does not know how to get back to the FTD-A IP address? Please share your L1/L3 topology diagram for review.

WX20220711-121149@2x.png

telnet 8305 Test on FMC 

FTD-B 172.17.2.11 8305 

root@ASCHZXS-12F-JF-A02-CISCO-FMC-01:/Volume/home/admin# telnet 172.17.2.11 8305
Trying 172.17.2.11...
telnet: connect to address 172.17.2.11: Connection refused

 

 

FTD-A 172.17.2.10 8305 
root@ASCHZXS-12F-JF-A02-CISCO-FMC-01:/Volume/home/admin# telnet 172.17.2.10 8305
Trying 172.17.2.10...
Connected to 172.17.2.10.
Escape character is '^]'.

 

ping -a 172.16.1.254 172.17.2.10
PING 172.17.2.10: 56 data bytes, press CTRL_C to break
Reply from 172.17.2.10: bytes=56 Sequence=1 ttl=61 time=7 ms
Reply from 172.17.2.10: bytes=56 Sequence=2 ttl=61 time=7 ms
Reply from 172.17.2.10: bytes=56 Sequence=3 ttl=61 time=7 ms
Reply from 172.17.2.10: bytes=56 Sequence=4 ttl=61 time=7 ms
Reply from 172.17.2.10: bytes=56 Sequence=5 ttl=61 time=7 ms

--- 172.17.2.10 ping statistics ---
5 packet(s)transmitted
5 packet(s)received
0.00% packet loss
round-trip min/avg/max = 7/7/7 ms

 

ping FTD-A -B on 172.16.1.254 (gateway)

ping -a 172.16.1.254 172.17.2.11
PING 172.17.2.11: 56 data bytes, press CTRL_C to break
Reply from 172.17.2.11: bytes=56 Sequence=1 ttl=61 time=7 ms
Reply from 172.17.2.11: bytes=56 Sequence=2 ttl=61 time=7 ms
Reply from 172.17.2.11: bytes=56 Sequence=3 ttl=61 time=7 ms
Reply from 172.17.2.11: bytes=56 Sequence=4 ttl=61 time=7 ms
Reply from 172.17.2.11: bytes=56 Sequence=5 ttl=61 time=7 ms

--- 172.17.2.11 ping statistics ---
5 packet(s)transmitted
5 packet(s)received
0.00% packet loss
round-trip min/avg/max = 7/7/7 ms

 

Translator
Community Manager
Community Manager
The FMC is located at the intermediate regional site ESXI and the gateway is located at the Hangzhou core.

Hangzhou Core Configuration

dis ip routing-table 172.17.2.10
Route Flags: R - relay, D - download to fib, T - to vpn-instance
------------------------------------------------------------------------------
Routing Table : Public
Summary Count : 1
Destination/Mask Proto Pre Cost Flags NextHop Interface

172.17.2.0/23 Static 1 0 RD 198.18.1.6 XGigabitEthernet0/0/1

?

dis ip routing-table 172.16.1.31
Route Flags: R - relay, D - download to fib, T - to vpn-instance
------------------------------------------------------------------------------
Routing Table : Public
Summary Count : 1
Destination/Mask Proto Pre Cost Flags NextHop Interface

172.16.1.0/24 Direct 0 0 D 172.16.1.254 Vlanif100

?
interface Vlanif100
description SERVER
ip address 172.16.1.254 255.255.255.0
#
return
[XIAOSHAN-Core-CS6730-Vlanif100]?






------------------------------------------------------------------------------------------------------------------------------------------------------------------


[SHAOXIN-Core-CS7706-1]int Vlanif 2
[SHAOXIN-Core-CS7706-1-Vlanif2]dis th
#
interface Vlanif2
description OA
ip address 172.17.3.252 255.255.254.0
ip address 192.168.168.252 255.255.255.0 sub
vrrp vrid 2 virtual-ip 172.17.3.254
vrrp vrid 2 priority 120
vrrp vrid 168 virtual-ip 192.168.168.1
dhcp select relay
dhcp relay server-ip 172.17.1.10
dhcp relay server-ip 172.17.1.20
#
return



[SHAOXIN-Core-CS7706-1]dis ip routing-table 172.17.2.10
Route Flags: R - relay, D - download to fib, T - to vpn-instance
------------------------------------------------------------------------------
Routing Table : Public
Summary Count : 1
Destination/Mask Proto Pre Cost Flags NextHop Interface

172.17.2.0/23 Direct 0 0 D 172.17.3.252 Vlanif2

[SHAOXIN-Core-CS7706-1]?

[SHAOXIN-Core-CS7706-1]dis ip routing-table 172.16.1.31
Route Flags: R - relay, D - download to fib, T - to vpn-instance
------------------------------------------------------------------------------
Routing Table : Public
Summary Count : 1
Destination/Mask Proto Pre Cost Flags NextHop Interface

172.16.1.0/24 Static 1 0 RD 198.18.1.10 GigabitEthernet4/0/10

[SHAOXIN-Core-CS7706-1]?




Since you are able to ping from FMC to both FTD, communication is there.  Has the FTD or FMC been replaced? is that how this issue happened?

could you run the command "sftunnel-status" on FTD-A.  This is done from the > prompt

You might also want to try restarting the sftunnel on FTD-A

> expert
admin@FTD:~$ sudo su
Password:
root@FTD:/# manage_procs.pl
****************  Configuration Utility  **************
1   Reconfigure Correlator
2   Reconfigure and flush Correlator
3   Restart Comm. channel
4   Update routes
5   Reset all routes
6   Validate Network
0   Exit
**************************************************************

Choose option 3

--
Please remember to select a correct answer and rate helpful posts
Review Cisco Networking for a $25 gift card