Not able to access Firepower Chassis manager on FTD 2100

vaibhav.parlekar1 · ‎01-05-2018

Hi,

Just setting up a new 2100 but unlike the 4100 the default management address opens up the FDM and not the Chassis manager.

even though I have data interfaces connected and enabled the interface on the GUI it's still in amber color in the GUI. I checked the interface status via Cli and it shows the interface is administratively down state. not sure why ?

I tried enabling the interface from FXOS Cli but I am getting a strange error on the Cli via committing the config. "Error: Changes not allowed. use 'connect FTD' to make changes.

The error says use connect FTD to make changes but when connect to FTD there is no option to set the interface configuration in that Cli mode or the Scope commands like in FXOS.

I have attached the error as well.

Is there a way to access the firepower chassis manager GUI on the 2100.

Would be great if anyone has seen this issue before.

Vaibhav

vaibhav.parlekar1 · ‎01-05-2018

Hi,

I found this link below of Cisco on FXOS cli for FTD 2100.

https://www.cisco.com/c/en/us/td/docs/security/firepower/2100/troubleshoot_fxos/b_2100_CLI_Troubleshoot/about_the_firepower_2100_security_appliance_cli.html.

The link mentions that if Firepower Threat Defense is installed on your Firepower 2100 device,the FXOS CLI does not allow you to modify the configuration. If you attempt to perform any configuration changes with the FXOS Cli, the commit-buffer command returns an error.

This is exactly the issue I am facing. I don't understand if changes cannot be made from FXOS on 2100 then eventually it means no changes on FXOS can be done from the Cli on the FTD 2100 cause they can't be committed to the buffer.

Is anyone able to access the chassis manager on the FTD 2100? though I have enabled interfaces on FDM it's status on the Cli is still administratively down and cannot be enabled from the Cli.

Vaibhav

Marvin Rhoads · ‎01-05-2018

When using FMC and FDM, all changes are at least a 2-step process:

1. make then change in the GUI and

2. deploy it to the device.

Did you deploy your configuration changes after making them in FDM?

martin564128 · ‎04-26-2018

Based on the previous link I think that 2100 allows changes only from GUI. You have to connect to "chassis" and set IP address of management server there. It should be done via command configure manager add 10.1.1.1 password. Switching between "chassis" and "FTD" is via command "connect ftd" and "connect fxos".

I got the error "Error: Changes not allowed. use: 'connect ftd' to make changes." when I try to set SNMP location form CLI. GUI allows setting snmp location for HA pair only and I want to set it individually per HA member. It is impossible. Also I cannot set systemName - GUI has no such option, CLI changes are not allowed. Snmpget returns default name "octeon".

[martin@mrtg ~]$ snmpwalk -v 2c -c public 10.2.2.2 sysname
SNMPv2-MIB::sysName.0 = STRING: octeon
[martin@mrtg ~]$

Marvin Rhoads · ‎04-27-2018

There are a very limited number of configuration changes one can make from the cli for an FTD device. They are mostly related to what's necessary to bootstrap it for management purposes and are listed here:

https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/fp2100/ftd-fmc-2100-qsg.html#pgfId-204325

You can change system name during initial setup. I'm not sure where they save that script but the hostname is stored in the usual Linux location as shown below:

admin@vftd2:/etc/sysconfig$ more network 
# automatically generated on Mon Apr 16 16:12:04 UTC 2018

HOSTNAME=vftd2.ccielab.mrneteng.com
NOOUTPUT=TRUE
NTP_MAX_DISTANCE=1.5
SEARCH_DOMAIN=ccielab.mrneteng.com
DNS_STATE=enable
DNS_SERVER="172.31.1.6 208.67.222.222 208.67.220.220"
NTP_STATE=enable
NTP_SERVER="0.sourcefire.pool.ntp.org 1.sourcefire.pool.ntp.org 2.sourcefire.pool.ntp.org 3.sourcefire.pool.nt
p.org 127.0.0.2"
admin@vftd2:/etc/sysconfig$

ecgbello07 · ‎11-28-2018

Hi Marvin,

Any idea why Cisco has made the CLI so limited on the FTD devices? For me this is a serious limitation. I have a customer that is migrating from ASA to FTD and they have 400+ Site to Site tunnels. It is not fun having to manually create that many tunnels when a simple copy and paste on the CLI would make it so easy. On top of that my understanding is that the Flexconfig cannot be used either for features that can be configured through the FMC (like VPN tunnels).

BillXia · ‎02-24-2020

My uplink interface is in shutdown status, and therefore, FTD cannot connect to FMC. i need to enable the uplink interface to restore the connection, this is a chicken and egg issue.

Marvin Rhoads · ‎02-25-2020

If the appliance has no configuration on it, you can factory reset it from the console cli:

https://www.cisco.com/c/en/us/td/docs/security/firepower/2100/troubleshoot_fxos/b_2100_CLI_Troubleshoot/b_2100_CLI_Troubleshoot_chapter_011.html#task_vxn_r5h_qdb

Once reset, the management interface should be enabled.

sjdnetwerk · ‎09-14-2018

Did you manage to enable the interface? Because I am facing the same problem. Enabling in the GUI doesn't enable the interface in reality.

rarae · ‎11-21-2018

Randy Rae 1 second ago

This may help a little bit. https://youtu.be/DYXMQKtfbTo