Solved: Re: Not possible to register firepower 1120

JamesMichael · ‎06-04-2022

Hello,

I have firewpower 1120 managed from FDM.

Few days ago I had to erase the configuration. I skipped the initial configuration and made update to version 7 from 6.6

Now I cannot register the device, because each time when I try, I receive following message:

"The device was unable to connect to the Smart Licensing server. This might indicate a gateway problem for the management interface. Please select Evaluation Mode for now. Then, after completing setup, go to Device > System Settings > Management Interface and verify the management address and gateway configuration. There must be a path from the management IP address to the Internet to complete Smart License registration. You can then go to Device > Smart License and try registering again"

Here is the ouput from show network command:

> show network

===============[ System Information ]===============

Hostname : FTD01

DNS Servers : 208.67.222.222

208.67.220.220

DNS from router : disabled

Management port : 8305

IPv4 Default route

Gateway : 192.168.46.1

Netmask : 0.0.0.0

==================[ management0 ]===================

State : Enabled

Link : Up

Channels : Management & Events

Mode : Non-Autonegotiation

MDI/MDIX : Auto/MDIX

MTU : 1500

MAC Address : D4:EB:68:78:65:00

----------------------[ IPv4 ]----------------------

Configuration : Manual

Address : 192.168.46.2

Netmask : 255.255.255.0

Gateway : 192.168.46.1

----------------------[ IPv6 ]----------------------

Configuration : Disabled

===============[ Proxy Information ]================

State : Disabled

Authentication : Disabled

Routing is working on all data interfaces. I have only route - default one. DNS is working on all data interfaces.

I suppose dns is not working on management interface and I don't know how to enable it from FDM. I cannot find such option.

Is there anyone, that had similar issue and could help?

Mohammed al Baqari · ‎06-04-2022

Hi, From the results routing isn't working. The icmp dst message is
generated from 46.2. Check if you can ping system 192.169.46.1. If not
check your vlaning and l2 connectivity.

**** please remember to rate useful posts

View solution in original post

Mohammed al Baqari · ‎06-04-2022

Hi, just to confirm it to be dns problem, try ping system Google.com from
the clish and see if you get IP or not. Same way try to ping system 8.8.8.8
to see if internet is reachable.

***** please remember to rate useful posts

JamesMichael · ‎06-04-2022

Hello Mohammed,

FTD can't ping any of them

> ping system google.com
ping: google.com: Temporary failure in name resolution

> ping system 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
From 192.168.46.2 icmp_seq=1 Destination Host Unreachable
From 192.168.46.2 icmp_seq=5 Destination Host Unreachable
From 192.168.46.2 icmp_seq=11 Destination Host Unreachable
From 192.168.46.2 icmp_seq=12 Destination Host Unreachable
From 192.168.46.2 icmp_seq=13 Destination Host Unreachable
From 192.168.46.2 icmp_seq=14 Destination Host Unreachable
From 192.168.46.2 icmp_seq=15 Destination Host Unreachable

Here is the screenshot from my management interace page:

Mohammed al Baqari · ‎06-04-2022

Hi, From the results routing isn't working. The icmp dst message is
generated from 46.2. Check if you can ping system 192.169.46.1. If not
check your vlaning and l2 connectivity.

**** please remember to rate useful posts

JamesMichael · ‎06-05-2022

Hi,

I made some changes.

By default interface Ethernet1/2 has this IP address - 192.168.1.1. NAT is working. Network 192.168.1.0/24 is translated to outside interface. DNS is also working from this interface. Tested from laptop with IP address 192.168.1.5 directly connected to Ethernet1/2:

Pinging goolge.com [216.58.209.4] from 192.168.1.5 with 32 bytes of data:
Reply from 216.58.209.4: bytes=32 time=1ms TTL=59
Reply from 216.58.209.4: bytes=32 time=1ms TTL=59

I changed the IP address of management interface to 192.168.1.45 and checked the option "use the data interfaces as a gateway"

Now management interface can ping 8.8.8.8 and itself -192.168.1.45, but dns is still not working

> ping system 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=59 time=1.04 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=59 time=0.845 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=59 time=0.809 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=59 time=0.785 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=59 time=0.914 ms
64 bytes from 8.8.8.8: icmp_seq=6 ttl=59 time=0.844 ms
64 bytes from 8.8.8.8: icmp_seq=7 ttl=59 time=0.795 ms
64 bytes from 8.8.8.8: icmp_seq=8 ttl=59 time=0.820 ms
64 bytes from 8.8.8.8: icmp_seq=9 ttl=59 time=0.859 ms
^C
--- 8.8.8.8 ping statistics ---
9 packets transmitted, 9 received, 0% packet loss, time 318ms
rtt min/avg/max/mdev = 0.785/0.856/1.035/0.075 ms

> ping system google.com
ping: google.com: Temporary failure in name resolution
> ping system 192.168.1.45
PING 192.168.1.45 (192.168.1.45) 56(84) bytes of data.
64 bytes from 192.168.1.45: icmp_seq=1 ttl=64 time=0.058 ms
64 bytes from 192.168.1.45: icmp_seq=2 ttl=64 time=0.033 ms
64 bytes from 192.168.1.45: icmp_seq=3 ttl=64 time=0.036 ms
^C

--- 192.168.1.45 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 85ms
rtt min/avg/max/mdev = 0.033/0.042/0.058/0.012 ms
> ping system 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
From 192.168.1.45 icmp_seq=1 Destination Host Unreachable
From 192.168.1.45 icmp_seq=5 Destination Host Unreachable
From 192.168.1.45 icmp_seq=6 Destination Host Unreachable
^C
--- 192.168.1.1 ping statistics ---
8 packets transmitted, 0 received, +3 errors, 100% packet loss, time 247ms

I have no clue, what to do next

Update: I have managed to enable DNS from router option with command "configure network dns router enable" from CLISH, but it did not change anything.

Mohammed al Baqari · ‎06-05-2022

>From CLI in FTD, use the command configure network dns servers 8.8.8.8

Then check if the DNS changed from CLI using show network.

Finally check if dns is resolving.

**** please remember to rate useful posts

JamesMichael · ‎06-05-2022

I did as you said. Then I had to deploy the changes from WEB GUI.

Here is the output from show network:

> show network
===============[ System Information ]===============
Hostname : FTD01
DNS Servers : 8.8.8.8
DNS from router : enabled
Management port : 8305
IPv4 Default route
Gateway : data-interfaces

==================[ management0 ]===================
State : Enabled
Link : Up
Channels : Management & Events
Mode : Non-Autonegotiation
MDI/MDIX : Auto/MDIX
MTU : 1500
MAC Address : D4:EB:68:78:65:00
----------------------[ IPv4 ]----------------------
Configuration : Manual
Address : 192.168.1.45
Netmask : 255.255.255.0
Gateway : 169.254.1.1
----------------------[ IPv6 ]----------------------
Configuration : Disabled

===============[ Proxy Information ]================
State : Disabled
Authentication : Disabled

And here is output from ping:

> ping system 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=59 time=1.07 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=59 time=0.867 ms
^C

--- 8.8.8.8 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 2ms
rtt min/avg/max/mdev = 0.867/0.970/1.073/0.103 ms
> ping system google.com
ping: google.com: Name or service not known

So it is still not resolving addresses ;(

Mohammed al Baqari · ‎06-05-2022

I think your networking is missing something to allow FTD mgmt to reach
internet on udp 53 (either nat or routing or acl, etc).

***** please remember to rate useful posts

JamesMichael · ‎06-06-2022

Hello Mohammed,

I have connected management interface to the switch connected to data interface and finally ping system google.com was resolving the name.

Thank you!

Mohammed al Baqari · ‎06-06-2022

G8. Hope posts were helpful

Kasun Bandara · ‎06-04-2022

1. can you connect laptop directly to ISP router and try to check internet access and DNS resolution working

2. remove and add default route again to 0.0.0.0 0.0.0.0 and test again

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

JamesMichael · ‎06-05-2022

Hello Kasun,

1. I did it and my laptop can resolve IP addresses.

2. Also did it as well, but nothing has changed and I still could not ping from management interface.

Thanks anyway