Solved: Re: not able to exit out of firepower-module> on Cisco FTD 4100

vaibhav.parlekar1 · ‎05-23-2018

Hi All,

I am not able to exit out of the firepower module back into FXOS from Cli. I tried exit command also tried ~ as well. but it does not accept the command.

We have changed the management ip of the chassis and we are able to access it via SSH but the webgui of the chassis manager is not opening. Hence we want to get back into FXOS to see if there are any configurations out here to get the chassis manager GUI back.

can someone please help me get back to the FXOS or the chassis manager GUI back.

Regards

Vaibhav

Marvin Rhoads · ‎05-24-2018

Since you're starting anew a reset might be in order.

Are you aware that the physical chassis management port is the one used by Firepower Chassis Manager and the FX-OS cli? That one requires a unique IP address distinct from the address assigned to the FTD logical device.

While you can access the FTD cli via ssh to the chassis management interface and then doing the "connect module 1 console" and "connect ftd" commands, that is not normally how you would get in as it's a bit convoluted.

The address assigned to the FTD logical device is associated with a separate physical interface on the chassis which you must assign from FCM or the FX-OS cli.

f you haven't read it yet, I highly recommend the "Cisco Firepower Threat Defense" book by Nazmul Rajib. Chapter 6 explains the above in much more detail. It's available from Cisco Press, Amazon.com or via Safari Books online.

View solution in original post

Marvin Rhoads · ‎05-23-2018

It sounds like you are logged into the logical device management interface directly vs. via the chassis management port.

Only when you log into the latter can you move between the chassis management interface, the module and the logical device (FTD).

vaibhav.parlekar1 · ‎05-23-2018

Hi Marvin,

Thanks a lot for your prompt response. I had initially logged into the device using the same IP address by which I was able to access the Chassis manager GUI.

I SSHed into the firewall on the same IP address. then using the configure network command I changed the ip address of the management interface of the firewall. Before changing the ip address it's the same interface which was configured as management from the chassis manager.

Now I am able to SSH to the changed IP address and ping it as well. but the chassis manager gui does not load at all.

One more thing I noted was initally before the change of IP address when I would SSH into the appliance I would login to the default prompt from where I could navigate into the FXOS. But after the change of IP address I directly log into firepower-module> prompt and it only lets me connect to FTD module and does not let me exit into the FXOS Cli.

from the documentation I guess this is the way to setup the management interface of the chassis right. I have not configured the FMC yet.

Kindly please let me know.

Regards

Vaibhav

Marvin Rhoads · ‎05-23-2018

Hmm, it appears you've setup something incorrectly. Normally you would:

a. bootstrap the chassis from console or physical management port.

b. assign physical interfaces to the logical device (FTD), connect to it (from the FX-OS cli interface or Firepower Chassis Manager GUI) and run configure-network to assign a unique IP address to the allocated physical management interface that will be used by FTD.

c. login to the FTD module directly via its assigned and configured management interface and add manager (the FMC).

When you "connect-ftd" from the "firepower-module" prompt does that work? If so, what does the IP address show as when you "show network".

Have you tried connecting to the front panel serial console port? What do you see there? ("connect local-mgmt" and "show mgmt-port")

vaibhav.parlekar1 · ‎05-24-2018

Hi marvin

Thanks again. Like I had mentioned earlier since we are moving the firewall to a new network we wanted to change the firewall network settings. Hence before we changed the IP address the FTD physical interface which is mapped to the logical device was used as dedicated port for management.

We changed that ip address. Yes we can connect to FTD using the connect ftd command. And we had used the configure network command to change the ip address. So after connecting to FTD from Cli we used the show network command.

We are able to see the ip address that we had assigned via Cli to which we are able to SSH to the firewall.

Management 0 state enabled

IPv4 configuration we are able to see the ip address, subnet mask etc.

Is there something we have missed or we are left with only option to factory reset the firewall?

Vaibhav

Marvin Rhoads · ‎05-24-2018

Since you're starting anew a reset might be in order.

Are you aware that the physical chassis management port is the one used by Firepower Chassis Manager and the FX-OS cli? That one requires a unique IP address distinct from the address assigned to the FTD logical device.

While you can access the FTD cli via ssh to the chassis management interface and then doing the "connect module 1 console" and "connect ftd" commands, that is not normally how you would get in as it's a bit convoluted.

The address assigned to the FTD logical device is associated with a separate physical interface on the chassis which you must assign from FCM or the FX-OS cli.

f you haven't read it yet, I highly recommend the "Cisco Firepower Threat Defense" book by Nazmul Rajib. Chapter 6 explains the above in much more detail. It's available from Cisco Press, Amazon.com or via Safari Books online.

vaibhav.parlekar1 · ‎05-31-2018

Thanks Marvin,

Vaibhav

ravi.et · ‎10-29-2019

- Press shift+~ key

- u will go in telnet> mode

- type q and hit enter key , you will get back to chassis (fxos)

Example :-

Firepower-module1>
Firepower-module1> -----> here i pressed shift+~ key
telnet> q
Connection closed.
Firepower-2-A#

Note:- if you login directly with FTD IP then you can exit from Firepower-module1> by just typing exit, above scenario comes only when you login to chassis (fxos) IP and then use to go to FTD

michelet.jean-gilles@mlp.com · ‎12-07-2021

Thanks ravi.et that was very helpful!

egilkey · ‎03-08-2024

This should have been marked as the solution. Thanks!

lmoceze · ‎01-29-2025

Hey there!
I have the same issue, im stuck at an empty prompt after connect ftd.
I am connected remotely via a terminal server to the console line.
I know it is a stupid question, but how do you press shift + ~ ?
I dont have a native tilde on any keyboard layout I know, and it does not accept it with altgr+my button.
I also tried ascii octal \017\176 via securecrt and send BREAK via putty, no luck.
Thanks!

Marvin Rhoads · ‎01-29-2025

@lmoceze unfortunately using the tilde is required to escape from the module.

Alternate keyboard layouts almost always have a way of entering the tilde symbol when it is not a native key in your layout.

For example, see this article: https://apple.stackexchange.com/questions/286197/typing-the-tilde-character-on-a-pc-keyboard

lmoceze · ‎01-30-2025

Thanks! Unfortunately when I do the shift + tilde (altgr + * (next to enter) in my case), nothing happens.
I can type tilde without the shift, but it looks like the shift + altgr is too much for the terminal server.
And if I try any layout where it is not altgr but shift, it is simply just typing tilde and thats it.
Is there any other way to break out of this devilish cycle (without reboot)?
Also a strange thing that if i type something to the session (eg. plsletmego, then hit enter, then I got plsletmego in a new line afterwards).
Thanks!

Marvin Rhoads · ‎01-31-2025

Ah you are connecting via a terminal server. That may limit your options. Is it not possible to try it from an ssh connection?

lmoceze · ‎01-31-2025

Unfortunately no, also there is no on-site person there (i know, please dont tell me about it : ) )