11-23-2018 07:56 AM - edited 02-21-2020 08:30 AM
Are there any logs I can look at to see why my SFR isnt connecting to the FMC when I try to add new device? I can ping both ways from sfr to FMC, packet tracer says port 8305 is good, but no telnet option on SFR so cant really open port to FMC. So in that case I am looking for logs to see the issue.
11-23-2018 08:50 AM
Hi,
Is it a new installation or you had already configured before?
. New installation ( it was my scenario )
I had some problems with Firepower 4100 not being registered and I needed to format OS and after that it was finally added to FMC. The Firepower had old configurations with and old manager that even using configure manager del and then configure manager add <IP> <Password> was not possible to configure to new manager. There's also a trick to erase configuration:
11-23-2018 10:04 AM
11-24-2018 07:19 AM
11-24-2018 07:49 AM
11-24-2018 08:01 AM - edited 11-24-2018 08:02 AM
Check sftunnel.conf at both ends - it's located in etc/sf. The hashed key value is in there so you can compare the values between your device and FMC. If they don't match you can rename sftunnel.conf to sftunnel.conf.OLD and the device (FMC or sensor) will recreate it when you re-register your manager.
The other thing I can think of is have you changed the SSL certificate on your FMC from the self-signed one?
11-24-2018 03:29 PM
11-24-2018 03:37 PM
11-24-2018 06:21 PM
I'm asking because of:
VerifyConnect:Failed to authenticate or to be authenticated by peer '10.81.90.202'
If an external certificate was added without the correct EKU (Enhanced Key Usage), that could cause this error. The certificates at both ends must have both Client Authentication and Server Authentication EKU set as the authentication is two-way (vs. the more common one-way which would be a standard server certificate template).
11-24-2018 06:50 PM
11-26-2018 01:14 AM
Examine the certificate on both ends. The sftunnel.conf file tells you where the local certificate is stored. Copy that certificate .pem file text into a .cer file. You can then look at it and confirm the EKU for both ends.
11-26-2018 06:57 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide