Re: Problem updating / configuring updates with FirePower 1010 NGFW FD

craig264 · ‎06-19-2024

Hi,

I bought a Firepower 1010 NGFW for a small office and it does route traffic generally to the internet I can't seem to get the Geolocation, VDB, Security Intelligence Feeds, Intrusion Rule. NTP doesn't update either but is set to use (0.sourcefire.pool.ntp.org, 1.sourcefire.pool.ntp.org, 2.sourcefire.pool.ntp.org)

System Current version is 7.2.5-208

From Tasks:

Security Intelligence Feeds update - Security Intelligence feeds download failed.

Cisco Smart Software Manager Registration - The device was unable to connect to the Smart Licensing server. This might indicate a gateway problem for the management interface. Please select Evaluation Mode for now. Then, after completing setup, go to Device > System Settings > Management Interface and verify the management address and gateway configuration. There must be a path from the management IP address to the Internet to complete Smart License registration. You can then go to Device > Smart License and try registering again.

NTP - None of the NTP Servers Can be reached

VDB Update / GeoDB Update - Unable to connect to update server

the output I get from show network:

> show network
===============[ System Information ]===============
Hostname : firepower
DNS Servers : 208.67.222.222
208.67.220.220
2620:119:35::35
DNS from router : disabled
Management port : 8305
IPv4 Default route
Gateway : 192.168.95.1
Netmask : 0.0.0.0
==================[ management0 ]===================
Admin State : enabled
Admin Speed : 1gbps
Operation Speed : indeterminate
Link : link-down
Channels : Management & Events
Mode : Non-Autonegotiation
MDI/MDIX : Auto/MDIX
MTU : 1500
MAC Address : D0:DC:2C:F5:A1:80
----------------------[ IPv4 ]----------------------
Configuration : Manual
Address : 192.168.95.2
Netmask : 255.255.255.0
Gateway : 192.168.95.1
----------------------[ IPv6 ]----------------------
Configuration : DHCP

===============[ Proxy Information ]================
State : Disabled
Authentication : Disabled> show network

Am I doing anything obviously wrong?

GeorgiTrahnov16929 · ‎06-19-2024

Can you test from the CLI ping to something on the internet, for example 1.1.1.1, using this command - ping system 1.1.1.1. That will test ping to 1.1.1.1 from the management interface specifically. The management interface needs to be able to reach Cisco's services to download what you've mentioned.

craig264 · ‎06-19-2024

This is what I get with the system option

> ping system 1.1.1.1
Character system not allowed in CLI Console.> ping system 1.1.1.1

GeorgiTrahnov16929 · ‎06-19-2024

What does it say when you do "ping ?". I don't have access to a FTD 1010 running Firepower code to test it myself.

If you can't test ping from the management interface of the FTD can you test internet access from a different device in the same network as the management interface of the FTD?

Marvin Rhoads · ‎06-19-2024

@craig264 use an actual ssh session. The GUI command prompt is feature-limited.

craig264 · ‎06-19-2024

I plugged in a serial cable

> ping system 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
From 192.168.95.2 icmp_seq=1 Destination Host Unreachable
From 192.168.95.2 icmp_seq=2 Destination Host Unreachable
From 192.168.95.2 icmp_seq=3 Destination Host Unreachable

GeorgiTrahnov16929 · ‎06-19-2024

I think that is the problem then, the management network does not have internet access to reach Cisco's services to download everything you require or to reach the NTP servers. I'd check the gateway's routing table and go from there.

Marvin Rhoads · ‎06-19-2024

Note your "Show network" output indicates that the management0 interface is "link-down". An FTD device requires Internet connectivity for the management interface (distinct from the connectivity used by the data plane).

Problem updating / configuring updates with FirePower 1010 NGFW FDM