Solved: Unable to Access Management Interface of Firepower Virtual Appliance

Matt · ‎06-10-2018

I'm using the 6.2.3 vFTD OVA provided by Cisco. I want to manage it locally, not with an FMC. After setting it up in vSphere I am able to ping other devices on the network but am unable to access it via SSH or HTTPS. It just times out. When I do "show interfaces ip brief" It shows the Management Interface as having an unassigned IP address, event after I configure it with "configure network ipv4 (ip) (mask) (gateway) Management0/0". I also tried configure "network ipv4 dhcp Management0/0" as there is a DHCP server on the network but neither seems to work. Am I missing something in the documentation or is there a trick to getting this in working order?

Matt · ‎06-19-2018

Your reminder led me to look back into it. This time I noticed some speed/duplex interface errors when trying to configure the management interface.

What fixed it was switching the Cisco-provided interface types in the OVA (E1000) to VMXNET3 interfaces. So it seems to me that Cisco bundled the image with interfaces that don't support it/it doesn't support.

EDIT: Upon further review I think I see the problem. It may not be that Cisco included unsupported interfaces but that the link between my vswitches and my core switch is 10G and E1000 per its name supports only 1G.

View solution in original post

Marvin Rhoads · ‎06-11-2018

The address used for FTD management is known as br1. You can see it from expert mode in the cli.

Management0/0 is also known as the diagnostic interface and is not normally used.

More details can be found here:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/212420-configure-firepower-threat-defense-ftd.html#anc7

Here's an example of what I'm talking about:

> show interface ip brief
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         172.31.1.1      YES CONFIG up                    up  
GigabitEthernet0/1         192.168.0.204   YES CONFIG up                    up  
GigabitEthernet0/2         unassigned      YES unset  administratively down up  
Internal-Control0/0        127.0.1.1       YES unset  up                    up  
Internal-Data0/0           unassigned      YES unset  up                    up  
Internal-Data0/0           unassigned      YES unset  up                    up  
Internal-Data0/1           169.254.1.1     YES unset  up                    up  
Management0/0              unassigned      YES unset  up                    up  
> expert
admin@vftd-new:~$ ifconfig br1
br1       Link encap:Ethernet  HWaddr 00:0c:29:24:8e:3f  
          inet addr:172.31.1.24  Bcast:172.31.1.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe24:8e3f/64 Scope:Link
          UP BROADCAST RUNNING  MTU:1500  Metric:1
          RX packets:2066108 errors:0 dropped:7 overruns:0 frame:0
          TX packets:1353107 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:1830974370 (1.7 GiB)  TX bytes:208854536 (199.1 MiB)

admin@vftd-new:~$

12798172938724295 · ‎06-11-2018

removed

Matt · ‎06-11-2018

Aha, thanks for the clarification. Now that I am certain of the IP I can ARP it but still cannot get a ping/HTTP/HTTPS/SSH to it from the same subnet. If I run "show network" in basic mode I can see the management port is 8305. Should this be working at this point or are there additional changes to make?

Marvin Rhoads · ‎06-11-2018

Basic question but since it's an FTDv... did you verify the VM interface is assigned to a properly configured vswitch port?

From expert mode on the FTDv are you able to ping out to anything? Are you getting your arp cache populated on the FTDv?

You didn't set the diagnostic interface to a different subnet did you?

Matt · ‎06-11-2018

Yeah, I can ARP the FTDv from a PC and I can successfully ping the PC from the FTDv. So far I tried putting all of the interfaces except for BR1 on other VLANs and I also tried putting all interfaces into the same VLAN to no avail.

Brian Schultz · ‎06-19-2018

Did you ever figure this out? I seem to be running into a similar issue with FTDv 6.2.3.

12798172938724295 · ‎06-19-2018

Removed

Matt · ‎06-19-2018

Your reminder led me to look back into it. This time I noticed some speed/duplex interface errors when trying to configure the management interface.

What fixed it was switching the Cisco-provided interface types in the OVA (E1000) to VMXNET3 interfaces. So it seems to me that Cisco bundled the image with interfaces that don't support it/it doesn't support.

EDIT: Upon further review I think I see the problem. It may not be that Cisco included unsupported interfaces but that the link between my vswitches and my core switch is 10G and E1000 per its name supports only 1G.

Brian Schultz · ‎06-20-2018

Great catch! That fixed it for me too. I had to change all of my interfaces to VMXNET3 and now it is working as expected. When you change it to VMXNET3 driver, it changes it to two management interfaces (eth0 and eth1) instead of the bridged br1 interface.

Marvin Rhoads · ‎06-20-2018

My FTDv interfaces are all E1000 and they work fine. It must be, as you said, the downstream device needing VMXNET3 type interfaces.

shrawan.jha · ‎08-20-2019

It worked,

Thanks.