Re: No Connection/Event Logging in FMC 6.2 with FTDv 6.2

kskksaa · ‎02-26-2017

Hello,

i´m testing the new Cisco Firepower Thread Defense virtual Firewall with the Firepower Management Center.

Everything seems fine, i registered the virtual FWL with the FMC and sucessfully deployed my Access Control Policy which permits all Traffic, logging to Event Viewer is enabled at Begin of the Connection.

My Problem now is, that i don`t see any Events/Connections in the Dashboard, the Client behind the Firewall has Internet Access and when i set up Blocks (Urls, Ports) this does work.

I have searched for help online, but all suggested Solutions diddn`t work for me.

Can anybody please help me out?

yogdhanu · ‎02-27-2017

Hi

You can try to run firewall debug on FTD to know which snort rule the traffic hits.

Login to FTD CLI

>system support firewall-engine-debug

Enter the source IP of client and have it generate some traffic. Watch the output to determine which rule traffic is hitting and check if that rule has logging enabled.

If all that is correct, it could be something between FMC and FTD connectivity. Do you see any health alerts on FMC ?

Thanks

Yogesh

kskksaa · ‎02-27-2017

Hello,

thanks for your answer, i set up the debug command with the following parameters

here`s the command:

> system support firewall-engine-debug

Please specify an IP protocol: tcp
Please specify a client IP address: 192.168.10.1
Please specify a client port:
Please specify a server IP address: 0.0.0.0
Please specify a server port: 80

and here´s the output

http://pastebin.com/6CBCxTgy

Seems like the traffic falls into the Default Allow Rule on which is Logging enabled.

I had Some problems with ntp, health monitor displays this message:

The Time Synchronization Status 2017-02-27 21:25:30 192.168.2.252 (FTDv Device )is out-of-sync

The device has now his own NTP-Server (same as the FMC), it does not request the time from the FMC, because i´ve read that there is a bug with FMC virtual as timeserver. Now there no Health Monitoring warnings, but the problem that no data is shown in the Dashboard persists.

Thanks for your help

paultribe · ‎10-15-2017

This is a real pain, I have FMC 6.2.2 with two FTD 4110 appliances. In prestage event analisys worked fine - when I went live with an identical config on the FTD and FMC devices and an identical build it completely failed to work. The only difference is the hardware the virtual FMC resides on.

This should not be acceptable from Cisco as my FTDs were installed in a very complex environment. I had to proceed with the implementation with no logging which hampered our install in respect of troubleshooting - and who foots the bill for the additional time it takes to deliver to our customer.

I am awaiting a TAC response but I am not happy as this was so unexpected when going to implementation and did not impress our customer.

Whatever happened to proper UAT Cisco?

Fahad Afzal · ‎12-18-2017

I am facing the same problem with FMC 6.2

Were you able to get any clue from TAC? Please let us know.

paultribe · ‎12-20-2017

Hi There
TAC stated the database had become corrupt and they fixed it. They said it was due to the system being shut down improperly. You will need to raise this with TAC as it took multiple engineers quite some time to sort out.
The only thing I would say is I do not remember shutting the system down incorrectly and the logging never work from the outset. Nevertheless they did a superb job sorting this out as I observed them working on via WebEx and it looked very complex in respect of the work they were doing
Regards
Paul Tribe