Solved: Issues joining Firepower Sensor with 6.2.2 to FMC

MattLahoff · ‎09-11-2017

Greetings all:

So last night I had an issue joining some new firepower sensors to our FMC also running 6.2.2. I replaced the IDS cards in a Cisco 5585 ASA (running 9.8 (2)) and the install process ran smoothly. This is the 3rd pair of Firepower IDS cards I have installed. I ran the basic setup same I have in the past and configured the manger on the sensors. When I went to FMC to join the sensors to the management server I got the dreaded:

"Could not establish a connection with sensor. Make sure the registration keys match, that the software versions are compatible, and that the network is not blocking the connection.

So I tried a few more times with both sensors, checking keys, running "Configure manager delete" Command and retrying it. Nothing seemed to work. I checked out some documentation and a great video on Firepower from Cisco Lives video library. Still nothing. I stumbled upon this post https://supportforums.cisco.com/t5/sourcefire-api/fail-to-register-sfr-module/td-p/2540275

Saying that some file was corrupted and that TAC could fix it in expert mode. I decided to take the risk and see if I could make sense of the Unix shell. I did see that the sftunnel.conf file had another file that sftunnel.conf.corrupt next to it but I didn't end up messing with the config files. I decided despite how late it was I would try re-imaging the module with 6.2.0 image I had used with prior installs (These sensors were updated to 6.2.2 last night) and after failing the first time it ended up working once I added a NAT ID. It seemed strange that I would need a NAT ID added as these sensors were the same subnet as the previous 2 pairs of sensors I have installed but hey it worked and I was able to get home and get some sleep.

Anyway, I was wondering if this is worth contacting TAC about? I am wondering if there is a bug in 6.2.2 or a hardware issue? I have 2 pairs of sensors I need to install in two weeks and if I can get any information that might make the installation process run smoothly I would appriciate it.

MattLahoff · ‎09-19-2017

I contacted TAC asking about the corrupted file. The TAC rep I was in contact with was very helpful and suggested I backup a known good sftunnel.conf file from a working sensor and copy it to a directory in the Firepower Management Server that I could then copy to a sensor having the same issue. The instructions were as follows:

1. Log into the sensor CLI for a sensor that has a good sftunnel.conf and create a copy

> expert

sudo su -

cp /etc/sf/sftunnel.conf /var/tmp/sftunnel.conf

2. SCP the file to the FMC so that you can get it to your local machine

WinSCP cannot connect directly to the sensor due to how SCP is locked down. Depending on which direction will allow the communication for you the commands would be either:

<from the sensor> sudo scp /var/tmp/sftunnel.conf admin@<fmc ip address>:/var/tmp

Or

<from FMC> sudo scp admin@<sensor ip address>:/var/tmp/sftunnel.conf /var/tmp

3. Copy the file to your local machine

The file at this point should be located in /var/tmp on the FMC. You can use an SCP client such as WinSCP to connect to the FMC, navigate to that location and save the file.

If you need to use the file to replace a corrupt sftunnel.conf on a sensor you can put the sftunnel.conf file back on the FMC to copy to the destination sensor (or you can simply just leave the copy of sftunnel.conf on the FMC in /var/tmp)

NOTE: The FMC has it's own sftunnel.conf that should not be modified, that will be in /etc/sf. Do not confuse that sftunnel.conf with the sftunnel.conf in /var/tmp that will be used for the sensors if needed.

If you need to replace a bad sftunnel.conf the procedure would be as follows:

1. SCP the file to the sensor and put it in /var/tmp

-From FMC-

sudo scp /var/tmp/sftunnel.conf admin@<sensor ip>:/var/tmp/sftunnel.conf

2. Backup the corrupt file using the cp command

-From sensor-

> expert

sudo su -

cp /etc/sf/sftunnel.conf /etc/sf/sftunnel.conf.bad

3. Replace the bad file with a copy of the good file

cp /var/tmp/sftunnel.conf /etc/sf/sftunnel.conf

Overwrite the file if prompted

4. Run the following command to populate the sftunnel.conf file.

perl -MFlyLoader -e "SF::PeerManager::ConfigFiles::create_sftunnel_config()"

5. Restart sftunnel.

pmtool restartbyid sftunnel

6. If communications have not been restored by this process, you may need to re-register the sensor to the DC and/or do a full reboot.

7. It may also be helpful to run the following command on the FMC and restart sftunnel from the FMC

perl -MFlyLoader -e "SF::PeerManager::ConfigFiles::create_sftunnel_config()"

View solution in original post

Marvin Rhoads · ‎09-11-2017

I doubt that it's a hardware issue.

I too have seen sftunnel.conf get corrupted (once) and misconfigured (my error that time). That's over the course of a couple dozen Firepower deployments going back as far as release 5.3.x.

If you have the time, I'd go ahead and open a TAC case just to get additional insight.

MattLahoff · ‎09-19-2017

I contacted TAC asking about the corrupted file. The TAC rep I was in contact with was very helpful and suggested I backup a known good sftunnel.conf file from a working sensor and copy it to a directory in the Firepower Management Server that I could then copy to a sensor having the same issue. The instructions were as follows:

1. Log into the sensor CLI for a sensor that has a good sftunnel.conf and create a copy

> expert

sudo su -

cp /etc/sf/sftunnel.conf /var/tmp/sftunnel.conf

2. SCP the file to the FMC so that you can get it to your local machine

WinSCP cannot connect directly to the sensor due to how SCP is locked down. Depending on which direction will allow the communication for you the commands would be either:

<from the sensor> sudo scp /var/tmp/sftunnel.conf admin@<fmc ip address>:/var/tmp

Or

<from FMC> sudo scp admin@<sensor ip address>:/var/tmp/sftunnel.conf /var/tmp

3. Copy the file to your local machine

The file at this point should be located in /var/tmp on the FMC. You can use an SCP client such as WinSCP to connect to the FMC, navigate to that location and save the file.

If you need to use the file to replace a corrupt sftunnel.conf on a sensor you can put the sftunnel.conf file back on the FMC to copy to the destination sensor (or you can simply just leave the copy of sftunnel.conf on the FMC in /var/tmp)

NOTE: The FMC has it's own sftunnel.conf that should not be modified, that will be in /etc/sf. Do not confuse that sftunnel.conf with the sftunnel.conf in /var/tmp that will be used for the sensors if needed.

If you need to replace a bad sftunnel.conf the procedure would be as follows:

1. SCP the file to the sensor and put it in /var/tmp

-From FMC-

sudo scp /var/tmp/sftunnel.conf admin@<sensor ip>:/var/tmp/sftunnel.conf

2. Backup the corrupt file using the cp command

-From sensor-

> expert

sudo su -

cp /etc/sf/sftunnel.conf /etc/sf/sftunnel.conf.bad

3. Replace the bad file with a copy of the good file

cp /var/tmp/sftunnel.conf /etc/sf/sftunnel.conf

Overwrite the file if prompted

4. Run the following command to populate the sftunnel.conf file.

perl -MFlyLoader -e "SF::PeerManager::ConfigFiles::create_sftunnel_config()"

5. Restart sftunnel.

pmtool restartbyid sftunnel

6. If communications have not been restored by this process, you may need to re-register the sensor to the DC and/or do a full reboot.

7. It may also be helpful to run the following command on the FMC and restart sftunnel from the FMC

perl -MFlyLoader -e "SF::PeerManager::ConfigFiles::create_sftunnel_config()"