Solved: SSH & HTTPS issue on Firepower 4100 chassis management interface

Happy_Trooper · ‎11-22-2019

Hello,

I am facing an issue with SSH/HTTPS management access on a Firepower 4100. After un-boxing the device, I consoled in and ran through the initial setup. I assigned the IP, subnet, hostname, default gateway, and IP blocks on the interface. I am able to ping the chassis mgmt interface from a laptop on the same subnet. From my laptop, I use putty to SSH in, I get a response, but using the same credentials that work for console access, it says access denied. I can confirm that my IP is in the IP block list on the private subnet of: 10.200.1.x/24.

When I attempt to access the 4100 via https, I get the login page, but my credentials that work for console access, do not work for web access:

The only network connectivity that I have to the appliance is to the chassis mgmt port. I simply want SSH and/or HTTPS access. I tried creating a 2nd admin user. I have the same issue with that account.

Is there something simple that I am missing to SSH/HTTPS into the chassis management port? I'm on version 2.4(1.101). I have followed the Cisco Firepower 4100 Quick Start Guide. According to the doc, after the initial configuration, one should be able to SSH in to the appliance.

Many thanks for your assistance.

Marvin Rhoads · ‎11-23-2019

Is it possible that somebody else has a different device in the lab using the same IP address?

View solution in original post

nspasov · ‎11-22-2019

Hmm, this is strange. I was going to ask if had the ssh/http services enabled (Scope system > scope services > enable ssh/http) but if you are getting a login prompt then those must be running. However, one thing that seems odd here is the GUI login screen that you have in your screenshot. This does look like the FXOS login prompt nor the error message that you would get if your authentication fails. Can you please confirm that you are trying to get to the chassis (FXOS) and not FTD (The application running on the chassis)?

Thank you for rating helpful posts!

Happy_Trooper · ‎11-23-2019

Hello,

Thank you for your response. The screenshot in my previous post, showing the failed web login, was from going to the management IP: https: //10.200.1.210

I have the devices in a simple configuration, as noted below:

The only network cable connected to the FPR-4110 is to the management port. The remaining ports do not have any SFPs or connections. It looks just like the picture below.

I have a 2nd unit with the same issue. Perhaps it is user error. I have followed the getting started guide, setup the necessary address, subnet, IP block, gateway. Can ping the devices, SSH/HTTPS responds, but does not accept my credentials. If I am connected via console cable, I CAN SSH to the managment IP successfully. But I cannot SSH/HTTPS through a network connection.

Is there a feature that needs to be enabled? HTTP and SSH have been set to enabled. Is there a license that needs to be applied? Is 2.4 buggy with this?

Many thanks for your time and assistance.

Marvin Rhoads · ‎11-23-2019

Is it possible that somebody else has a different device in the lab using the same IP address?

Happy_Trooper · ‎12-02-2019

Thank you all for your assistance. I'm going to head over to Networking 101 class :( It was an IP conflict.

nspasov · ‎12-02-2019

Hey, don't feel bad as this happens more often than not. We, tech people, tend to miss the most basic/easy things when troubleshooting as we get smarter and more knowledgeable. It is very common :) Plus, it did not help that the login prompt for the other device also happens to be Cisco.

Thank you for rating helpful posts!

Marvin Rhoads · ‎12-02-2019

No worries - the reason I came up with the answer is because I've made same error once or twice in my long career. :)

nspasov · ‎11-24-2019

I think Marvin was thinking what I was thinking. I would recommend connecting your PC directly to the mgmt interface and give it an IP address from the same subnet and then try again. The FXOS GUI Login screen should look like this:

https://www.google.com/search?q=firepower+chassis+manager+login&sxsrf=ACYBGNRqfIdruhX0M2FkunU8GMkOvAuVAQ:1574664179204&source=lnms&tbm=isch&sa=X&ved=2ahUKEwjlxKqY4YTmAhV3JzQIHfdrApQQ_AUoAnoECAwQBA&biw=1440&bih=717#imgrc=z-q2yv-jbvfpdM:

Thank you for rating helpful posts!

Mohammad Alhyari · ‎11-24-2019

Right click on that page and check the source :)

see what is actually is there....

mnice · ‎02-10-2021

Hello

Please Help me to resolve this problem

I use erase configuration on my FPR 4110 and after I can't access to FTD and when I try different procedure I stop on this step with this error

Error: Update failed: [App Instance cannot be started. Please provision LogicalDevice before starting application.]

Regards.

Marvin Rhoads · ‎02-10-2021

@mnice

If you have erased the configuration at the chassis level then you need to start over with provisioning a logical device again as the message indicates.

mnice · ‎02-10-2021

Hello marvin

Thank you sof much for your return

Provisioning a logical device means to allocate resources such as cpu disk and ram by creating a profile resource.?

Regards.

mnice · ‎02-10-2021

Hello Marvin

When I tried to allocate resources through the cli because the HTTPS access not work, I got this message

Error: Update failed: [Specified in CSP image header, FTD application does not support dynamic resources allocation.]

Regards.

Marvin Rhoads · ‎02-10-2021

Simply follow the detailed guide which can be found here:

https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/fp4100/firepower-4100-gsg/ftd_fdm_deploy.html#task_edc_lvw_g3b

mnice · ‎02-10-2021

Hello marvin

Thank you for your return

The problem is , I have only Cli access I can't connect to the chassis in HTTPS it connects once at startup after it displays me incorrect user and password after impossible to restart the page.

Is there an access list problem ??? knowing that I didn't configure the IP-Block.

Thank you for helping me marvin .