Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3241
Views
0
Helpful
9
Replies

Problem with adding SFR module to Firepower Management Center

John Gallager
Level 1
Level 1

‎09-14-2018 04:57 AM - edited ‎02-21-2020 08:14 AM

Hi,

 

I have two asa's with sfr modules which form failover cluster. Both are connected and configured identically. I was trying to add them to FMC and one was pece of cake - the other no way to go.

There is a communication between FMC and SFR, they authenticate correctly and forming communication channel but from whatever reason cant pair. As you can see from the logs below all ended with CRITICAL Unathorized RPC call. Does anybody knows what's going on there ?

Sep 14 2018 11:47:42 sis-ips-01 SF-IMS[18285]: SF-RPC:RemoteRun [CRITICAL] Unauthorized RPC call:SF::PeerManager::getPeerInfoLocal from 10.0.20.202 role:manager
Sep 14 2018 11:47:28 sis-ips-01 SF-IMS[18278]: SF-RPC:RemoteRun [CRITICAL] Unauthorized RPC call:SF::PeerManager::getPeerInfoLocal from 10.0.20.202 role:manager
Sep 14 2018 11:47:13 sis-ips-01 SF-IMS[18269]: SF-RPC:RemoteRun [CRITICAL] Unauthorized RPC call:SF::PeerManager::getPeerInfoLocal from 10.0.20.202 role:manager
Sep 14 2018 11:47:13 sis-ips-01 SF-IMS[4706]: [4777] CloudAgent:IPReputation [INFO] The curl option for dns verifypeer=1    verifyhost=0
Sep 14 2018 11:47:13 sis-ips-01 SF-IMS[4706]: [4777] CloudAgent:IPReputation [INFO] The curl option for ip  verify_peer=1  verifyhost=0 
Sep 14 2018 11:47:13 sis-ips-01 SF-IMS[4706]: [4706] CloudAgent:CloudAgent [INFO] IPRep, time to check for updates
Sep 14 2018 11:46:59 sis-ips-01 SF-IMS[18256]: SF-RPC:RemoteRun [CRITICAL] Unauthorized RPC call:SF::PeerManager::getPeerInfoLocal from 10.0.20.202 role:manager
Sep 14 2018 11:46:45 sis-ips-01 SF-IMS[18230]: SF-RPC:RemoteRun [CRITICAL] Unauthorized RPC call:SF::PeerManager::getPeerInfoLocal from 10.0.20.202 role:manager
Sep 14 2018 11:46:31 sis-ips-01 SF-IMS[18218]: SF-RPC:RemoteRun [CRITICAL] Unauthorized RPC call:SF::PeerManager::getPeerInfoLocal from 10.0.20.202 role:manager
Sep 14 2018 11:46:27 sis-ips-01 SF-IMS[10608]: [18215] sfmgr:sfmanager [INFO] SFMGR: UNIX socket '/var/sf/peers/10.0.20.202/mgr.sox': 9 is listening...
Sep 14 2018 11:46:27 sis-ips-01 SF-IMS[10608]: [18215] sfmgr:sfmanager [INFO] SFMGR is published on peer 10.0.20.202
Sep 14 2018 11:46:27 sis-ips-01 SF-IMS[10608]: [18216] sfmgr:sfmanager [INFO] Writing out service number - SFMGR for peer 10.0.20.202
Sep 14 2018 11:46:27 sis-ips-01 SF-IMS[10607]: [18212] sftunneld:sf_channel [INFO] >> ChannelState do_dataio_for_heartbeat peer 10.0.20.202 / channelA / CONTROL [ msgSock & ssl_context ] <<
Sep 14 2018 11:46:27 sis-ips-01 SF-IMS[10607]: [18212] sftunneld:sf_peers [INFO] Confirm RPC service in CONTROL channel
Sep 14 2018 11:46:27 sis-ips-01 SF-IMS[10607]: [18212] sftunneld:sf_connections [INFO] Need to send SW version and Published Services to 10.0.20.202
Sep 14 2018 11:46:27 sis-ips-01 SF-IMS[10607]: [18212] sftunneld:sf_peers [INFO] Using a 20 entry queue for 10.0.20.202 - 6666
Sep 14 2018 11:46:27 sis-ips-01 SF-IMS[10607]: [18212] sftunneld:sf_heartbeat [INFO] RPC Service is published for peer 10.0.20.202.
Sep 14 2018 11:46:27 sis-ips-01 SF-IMS[10608]: [10635] sfmgr:sfmanager [INFO] Established connection to sftunnel for peer 10.0.20.202 (fd 8)
Sep 14 2018 11:46:27 sis-ips-01 SF-IMS[10607]: [18212] sftunneld:sf_connections [INFO] Accepting a service connection..
Sep 14 2018 11:46:27 sis-ips-01 SF-IMS[10607]: [18212] sftunneld:sf_heartbeat [INFO] RPC service did not connect locally, but is published remotely on 10.0.20.202.
Sep 14 2018 11:46:27 sis-ips-01 SF-IMS[10607]: [18212] sftunneld:sf_heartbeat [INFO] Saved SW VERSION from peer 10.0.20.202 (6.2.3.5)
Sep 14 2018 11:46:26 sis-ips-01 SF-IMS[10607]: [18212] sftunneld:sf_heartbeat [INFO] Saved SW VERSION from peer 10.0.20.202 (6.2.3.5)
Sep 14 2018 11:46:26 sis-ips-01 SF-IMS[10607]: [18212] sftunneld:sf_channel [INFO] >> ChannelState do_dataio_for_heartbeat peer 10.0.20.202 / channelA / CONTROL [ msgSock & ssl_context ] <<
Sep 14 2018 11:46:26 sis-ips-01 SF-IMS[10607]: [18212] sftunneld:sf_connections [INFO] Need to send SW version and Published Services to 10.0.20.202
Sep 14 2018 11:46:26 sis-ips-01 SF-IMS[10607]: [18212] sftunneld:sf_connections [INFO] Peer 10.0.20.202 main thread started
Sep 14 2018 11:46:26 sis-ips-01 SF-IMS[10607]: [18212] sftunneld:stream_file [INFO] Stream CTX initialized for 10.0.20.202
Sep 14 2018 11:46:26 sis-ips-01 SF-IMS[10607]: [18212] sftunneld:sf_connections [INFO] Connected UEC Services...
Sep 14 2018 11:46:26 sis-ips-01 SF-IMS[10607]: [18212] sftunneld:sf_connections [INFO] Socket '/var/sf/peers/10.0.20.202/conn.sox': 12 is accepting services.
Sep 14 2018 11:46:26 sis-ips-01 SF-IMS[10607]: [18212] sftunneld:sf_channel [INFO] >>>>>>> initChannels peer: 10.0.20.202 <<<<<<
Sep 14 2018 11:46:26 sis-ips-01 SF-IMS[10607]: [18212] sftunneld:sf_connections [INFO] HandlePeerConnection....
Sep 14 2018 11:46:26 sis-ips-01 SF-IMS[10607]: [18212] sftunneld:sf_ssl [INFO] Connect: Start child thread for peer '10.0.20.202'
Sep 14 2018 11:46:26 sis-ips-01 SF-IMS[10607]: [18212] sftunneld:sf_peers [INFO] Peer 10.0.20.202 needs the first connection
Sep 14 2018 11:46:26 sis-ips-01 SF-IMS[10607]: [18212] sftunneld:sf_ssl [INFO] Connect: AUTHENTICATED peer '10.0.20.202'
1 person had this problem
0 Helpful
9 Replies 9

babiojd01
Level 1
Level 1

‎09-14-2018 05:26 AM - edited ‎09-14-2018 05:28 AM

Versions of FP on either end? FPM and FP module?

Is there a NAT in between? Is the password you are using to pair them identical on both ends? The network the fp module is on is a good stable network not across the globe?

0 Helpful

John Gallager
Level 1
Level 1
In response to babiojd01

‎09-14-2018 05:34 AM

Both FPM are 6.2.0 (one added without issue, one not), FMC is 6.2.3. Communication is fine, they are all connected to the same switch. There is no nat between them and all ip is permited. Password is identical on both ends which can be seen in log:

Sep 14 2018 11:46:26 sis-ips-01 SF-IMS[10607]: [18212] sftunneld:sf_ssl [INFO] Connect: AUTHENTICATED peer '10.0.20.202'
0 Helpful

John Gallager
Level 1
Level 1
In response to babiojd01

‎09-14-2018 05:34 AM

Both FPM are 6.2.0 (one added without issue, one not), FMC is 6.2.3. Communication is fine, they are all connected to the same switch. There is no nat between them and all ip is permited. Password is identical on both ends which can be seen in log:

Sep 14 2018 11:46:26 sis-ips-01 SF-IMS[10607]: [18212] sftunneld:sf_ssl [INFO] Connect: AUTHENTICATED peer '10.0.20.202'

 

0 Helpful

babiojd01
Level 1
Level 1
In response to John Gallager

‎09-14-2018 05:38 AM

have you entered into expert mode on the module and did a sudo pigtail to watch the logs during the attempted connection? Same with the FPM. Ssh into it and do sudo pigtail while you are trying to make the connection.

0 Helpful

John Gallager
Level 1
Level 1
In response to babiojd01

‎09-14-2018 05:43 AM

Yes I did that. On the manager site it looks fine:

Sep 14 12:37:58 SIS-SFR01 SF-IMS[4687]: [4728] sftunneld:sf_peers [INFO] Peer 192.168.1.4 needs a single connection
Sep 14 12:37:58 SIS-SFR01 SF-IMS[4687]: [4728] sftunneld:sf_connections [INFO] Start connection to : 192.168.1.4 (wait 0 seconds is up)
Sep 14 12:37:59 SIS-SFR01 SF-IMS[4687]: [31125] sftunneld:sf_peers [INFO] Peer 192.168.1.4 needs a single connection
Sep 14 12:37:59 SIS-SFR01 SF-IMS[4687]: [31125] sftunneld:sf_ssl [INFO] Connect to 192.168.1.4 on port 8305 - eth0
Sep 14 12:37:59 SIS-SFR01 SF-IMS[4687]: [31125] sftunneld:sf_ssl [INFO] Initiate IPv4 connection to 192.168.1.4 (via eth0)
Sep 14 12:37:59 SIS-SFR01 SF-IMS[4687]: [31125] sftunneld:sf_ssl [INFO] Initiating IPv4 connection to 192.168.1.4:8305/tcp
Sep 14 12:37:59 SIS-SFR01 SF-IMS[4687]: [31125] sftunneld:sf_ssl [INFO] Wait to connect to 8305 (IPv6): 192.168.1.4
Sep 14 12:37:59 SIS-SFR01 SF-IMS[4687]: [31125] sftunneld:sf_ssl [INFO] Connected to 192.168.1.4:8305 (IPv4)
Sep 14 12:37:59 SIS-SFR01 SF-IMS[4687]: [31125] sftunneld:sf_ssl [INFO] Successfully connected using SSL to: '192.168.1.4'
Sep 14 12:37:59 SIS-SFR01 SF-IMS[4687]: [31125] sftunneld:sf_ssl [INFO] Peer 192.168.1.4 supports separate events connection
Sep 14 12:37:59 SIS-SFR01 SF-IMS[4687]: [31125] sftunneld:sf_ssl [INFO] Peer 192.168.1.4 registration is complete remotely
Sep 14 12:37:59 SIS-SFR01 SF-IMS[4687]: [31125] sftunneld:sf_ssl [INFO] Connect: AUTHENTICATED peer '192.168.1.4'
Sep 14 12:37:59 SIS-SFR01 SF-IMS[4687]: [31125] sftunneld:sf_peers [INFO] Peer 192.168.1.4 needs a single connection
Sep 14 12:37:59 SIS-SFR01 SF-IMS[4687]: [31125] sftunneld:sf_ssl [INFO] Connect: Start child thread for peer '192.168.1.4'
Sep 14 12:37:59 SIS-SFR01 SF-IMS[4687]: [31125] sftunneld:sf_connections [INFO] HandlePeerConnection....
Sep 14 12:37:59 SIS-SFR01 SF-IMS[4687]: [31125] sftunneld:sf_channel [INFO] >>>>>>> initChannels peer: 192.168.1.4 <<<<<<
Sep 14 12:37:59 SIS-SFR01 SF-IMS[4687]: [31125] sftunneld:stream_file [INFO] Stream CTX destroyed for 192.168.1.4
Sep 14 12:37:59 SIS-SFR01 SF-IMS[4687]: [31125] sftunneld:sf_connections [INFO] Socket '/var/sf/peers/192.168.1.4/conn.sox': 23 is accepting services.
Sep 14 12:37:59 SIS-SFR01 SF-IMS[4687]: [31125] sftunneld:sf_connections [INFO] Connected UEC Services...
Sep 14 12:37:59 SIS-SFR01 SF-IMS[4687]: [31125] sftunneld:stream_file [INFO] Stream CTX initialized for 192.168.1.4
Sep 14 12:37:59 SIS-SFR01 SF-IMS[4687]: [31125] sftunneld:sf_connections [INFO] Peer 192.168.1.4 main thread started
Sep 14 12:37:59 SIS-SFR01 SF-IMS[4687]: [31125] sftunneld:sf_heartbeat [INFO] Saved SW VERSION from peer 192.168.1.4 (6.2.0)
Sep 14 12:37:59 SIS-SFR01 SF-IMS[4687]: [31125] sftunneld:sf_connections [INFO] Need to send SW version and Published Services to 192.168.1.4
Sep 14 12:37:59 SIS-SFR01 SF-IMS[4687]: [31125] sftunneld:sf_channel [INFO] >> ChannelState do_dataio_for_heartbeat peer 192.168.1.4 / channelA / CONTROL [ msgSock & ssl_context ] <<
Sep 14 12:38:01 SIS-SFR01 SF-IMS[4687]: [4729] sftunneld:control_services [INFO] Successfully Send Interfaces info to peer 192.168.1.5 over eth0
Sep 14 12:38:01 SIS-SFR01 SF-IMS[4687]: [4729] sftunneld:sf_heartbeat [INFO] Saved SW VERSION from peer 192.168.1.5 (6.2.0)
Sep 14 12:38:02 SIS-SFR01 SF-IMS[4687]: [31125] sftunneld:sf_connections [INFO] Accepting a service connection..
Sep 14 12:38:02 SIS-SFR01 SF-IMS[4687]: [31125] sftunneld:sf_heartbeat [INFO] RPC Service is published for peer 192.168.1.4.
Sep 14 12:38:02 SIS-SFR01 SF-IMS[4688]: [4721] sfmgr:sfmanager [INFO] Established connection to sftunnel for peer 192.168.1.4 (fd 10)
Sep 14 12:38:02 SIS-SFR01 SF-IMS[4688]: [31133] sfmgr:sfmanager [INFO] Writing out service number - SFMGR for peer 192.168.1.4
Sep 14 12:38:02 SIS-SFR01 SF-IMS[4687]: [31125] sftunneld:sf_peers [INFO] Using a 20 entry queue for 192.168.1.4 - 6666
Sep 14 12:38:02 SIS-SFR01 SF-IMS[4687]: [31125] sftunneld:sf_connections [INFO] Need to send SW version and Published Services to 192.168.1.4
Sep 14 12:38:02 SIS-SFR01 SF-IMS[4687]: [31125] sftunneld:sf_peers [INFO] Confirm RPC service in CONTROL channel
Sep 14 12:38:02 SIS-SFR01 SF-IMS[4687]: [31125] sftunneld:sf_channel [INFO] >> ChannelState do_dataio_for_heartbeat peer 192.168.1.4 / channelA / CONTROL [ msgSock & ssl_context ] <<
Sep 14 12:38:02 SIS-SFR01 SF-IMS[4688]: [31132] sfmgr:sfmanager [INFO] Waiting for RPC service to be published on peer 192.168.1.4
Sep 14 12:38:03 SIS-SFR01 SF-IMS[4687]: [31125] sftunneld:sf_heartbeat [INFO] Saved SW VERSION from peer 192.168.1.4 (6.2.0)
Sep 14 12:38:03 SIS-SFR01 SF-IMS[4687]: [31125] sftunneld:sf_heartbeat [INFO] (2)FORWARDED Product Info received from peer 192.168.1.4 to SFMGR
Sep 14 12:38:03 SIS-SFR01 SF-IMS[4688]: [31132] sfmgr:sfmanager [INFO] SFMGR is published on peer 192.168.1.4
Sep 14 12:38:03 SIS-SFR01 SF-IMS[4688]: [31132] sfmgr:sfmanager [INFO] SFMGR: UNIX socket '/var/sf/peers/192.168.1.4/mgr.sox': 11 is listening...
Sep 14 12:38:12 SIS-SFR01 Someone connected to me, receiving data...
Sep 14 12:38:12 SIS-SFR01 sla_worker : sizeof(msg) : 8192
Sep 14 12:38:12 SIS-SFR01 before recv(), total_bytes_read = 0, hdr_len = 8
Sep 14 12:38:12 SIS-SFR01 before recv(), total_bytes_read = 8, msg_len = 10
Sep 14 12:38:12 SIS-SFR01 process_msg : Received IPC message type : 12
Sep 14 12:38:12 SIS-SFR01 Response being sent to SAM : 
Sep 14 12:38:12 SIS-SFR01 , len(msg being sent) = 2575
Sep 14 12:38:12 SIS-SFR01 sla_worker : sizeof(msg) : 8192
Sep 14 12:38:12 SIS-SFR01 before recv(), total_bytes_read = 0, hdr_len = 8
Sep 14 12:38:12 SIS-SFR01 Connection closed...
Sep 14 12:38:12 SIS-SFR01 Waiting for someone to connect to me...

What I have on the module itself is just this one repeating error after they exchange software versions:

Sep 14 12:38:49 sis-ips-01 SF-IMS[21333]: SF-RPC:RemoteRun [CRITICAL] Unauthorized RPC call:SF::PeerManager::getPeerInfoLocal from 10.0.20.202 role:manager
Sep 14 12:39:03 sis-ips-01 SF-IMS[21340]: SF-RPC:RemoteRun [CRITICAL] Unauthorized RPC call:SF::PeerManager::getPeerInfoLocal from 10.0.20.202 role:manager
Sep 14 12:39:17 sis-ips-01 SF-IMS[21351]: SF-RPC:RemoteRun [CRITICAL] Unauthorized RPC call:SF::PeerManager::getPeerInfoLocal from 10.0.20.202 role:manager
Sep 14 12:39:31 sis-ips-01 SF-IMS[21377]: SF-RPC:RemoteRun [CRITICAL] Unauthorized RPC call:SF::PeerManager::getPeerInfoLocal from 10.0.20.202 role:manager
Sep 14 12:39:46 sis-ips-01 SF-IMS[21388]: SF-RPC:RemoteRun [CRITICAL] Unauthorized RPC call:SF::PeerManager::getPeerInfoLocal from 10.0.20.202 role:manager
Sep 14 12:40:00 sis-ips-01 SF-IMS[21396]: SF-RPC:RemoteRun [CRITICAL] Unauthorized RPC call:SF::PeerManager::getPeerInfoLocal from 10.0.20.202 role:manager
Sep 14 12:40:14 sis-ips-01 SF-IMS[21408]: SF-RPC:RemoteRun [CRITICAL] Unauthorized RPC call:SF::PeerManager::getPeerInfoLocal from 10.0.20.202 role:manager
Sep 14 12:40:28 sis-ips-01 SF-IMS[21438]: SF-RPC:RemoteRun [CRITICAL] Unauthorized RPC call:SF::PeerManager::getPeerInfoLocal from 10.0.20.202 role:manager
0 Helpful

babiojd01
Level 1
Level 1
In response to John Gallager

‎09-14-2018 05:49 AM

Here is an interesting question, how long is the authentication key? Meaning how many characters?

0 Helpful

John Gallager
Level 1
Level 1
In response to babiojd01

‎09-14-2018 06:04 AM

It's the same as on the first module - 12 caracters (small letters and 3 digits)
0 Helpful

babiojd01
Level 1
Level 1
In response to John Gallager

‎09-14-2018 06:08 AM - edited ‎09-14-2018 06:09 AM

I'm assuming you tried resetting the module but have you attempted to rebuild and reimage the module? I recently had a module i was struggling with and was forced to weirdness. The software versions you are speaking about are the same versions i have connected from across the globe.

0 Helpful

John Gallager
Level 1
Level 1
In response to babiojd01

‎09-14-2018 06:09 AM

This is the option I'm thinking about right now. Reimage would be the last resort but I have no other clues ...
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card