Re: Unable to add an ASA to Firepower Management Centre

curtis03 · ‎04-30-2018

Hi

I'm trying to add a branch office ASA5508 (v6.2.2) with sfr FirePOWER Services Software Module, to a recently installed FMS also 6.2.2

I have end to end connectivity but unable to add this as a new device to the FMS

The ASA sfr is registered with the FMS: -

Show> managers
Host : 10.5.1.50
Registration Key : ****
Registration : pending
RPC Status :

When attempting to add I get the error message 'could not establish a connection with sensor. Make sure .....'

I have monitored the logs on the ASA sfr whilst trying to add this ASA, and can see authentication failing: -

Apr 30 14:13:41 FP SF-IMS[19572]: [19579] sftunneld:sf_connections [INFO] Start connection to : 10.5.1.50 (wait 44 seconds is up)
Apr 30 14:13:41 FP SF-IMS[19572]: [21259] sftunneld:sf_peers [INFO] Peer 10.5.1.50 needs a single connection
Apr 30 14:13:41 SF-IMS[19572]: [21259] sftunneld:sf_ssl [INFO] Connect to 10.5.1.50 on port 8305 - eth0
Apr 30 14:13:41 SF-IMS[19572]: [21259] sftunneld:sf_ssl [INFO] Initiate IPv4 connection to 10.5.1.50 (via eth0)
Apr 30 14:13:41 SF-IMS[19572]: [21259] sftunneld:sf_ssl [INFO] Initiating IPv4 connection to 10.5.1.50:8305/tcp
Apr 30 14:13:41 SF-IMS[19572]: [21259] sftunneld:sf_ssl [INFO] Wait to connect to 8305 (IPv6): 10.5.1.50
Apr 30 14:13:41 SF-IMS[19572]: [21259] sftunneld:sf_ssl [INFO] Connected to 10.5.1.50:8305 (IPv4)
Apr 30 14:13:41 SF-IMS[19572]: [21259] sftunneld:sf_ssl [INFO] Successfully connected using SSL to: '10.5.1.50'
Apr 30 14:13:41 SF-IMS[19572]: [21259] sftunneld:sf_ssl [WARN] Could not receive Message: Closed
Apr 30 14:13:41 SF-IMS[19572]: [21259] sftunneld:sf_ssl [WARN] VerifyConnect:Failed to authenticate or to be authenticated by peer '10.5.1.50'

The keys are definately correct on both ends

Can anyone please assist?

Many thanks in advance

syehusai · ‎04-30-2018

Hi Curtis,

##it seems that the issue resides between the connectivity in the FMC and the sensor.

It seems like a new deployment, you may check the connectivity between FMC and sensor.
-a ping both ways (fmc to sensor and vice-versa)
- try to see if port 8305 is blocked as its the comm port between FMC and sensor (try telnet on 8305)
- you can also see the messages on both the firepower and FMC (/var/log/messages to see if we are getting any particular errors)
-you can try to restart the comm between FMC and sensor (>expert —> $sudo su —> manage_procs.pl)

If not resolved , these will give us an idea regarding the cause of the issue.

syehusai · ‎04-30-2018

Hi Curtis,

##it seems that the issue resides between the connectivity in the FMC and the sensor.

It seems like a new deployment, you may check the connectivity between FMC and sensor.
-a ping both ways (fmc to sensor and vice-versa)
- try to see if port 8305 is blocked as its the comm port between FMC and sensor (try telnet on 8305)
- you can also see the messages on both the firepower and FMC (/var/log/messages to see if we are getting any particular errors)
-you can try to restart the comm between FMC and sensor (>expert —> $sudo su —> manage_procs.pl)

If not resolved , these will give us an idea regarding the cause of the issue.

curtis03 · ‎05-01-2018

Hi Syehusai

thanks for your reply

as you can see from my post, I have end to end connectivity confirmed via ping from both platforms

also, you can see the FMC has made a successful connection to the sensor on port 8305: -

Apr 30 14:13:41 FP SF-IMS[19572]: [21259] sftunneld:sf_peers [INFO] Peer 10.5.1.50 needs a single connection
Apr 30 14:13:41 SF-IMS[19572]: [21259] sftunneld:sf_ssl [INFO] Connect to 10.5.1.50 on port 8305 - eth0
Apr 30 14:13:41 SF-IMS[19572]: [21259] sftunneld:sf_ssl [INFO] Initiate IPv4 connection to 10.5.1.50 (via eth0)
Apr 30 14:13:41 SF-IMS[19572]: [21259] sftunneld:sf_ssl [INFO] Initiating IPv4 connection to 10.5.1.50:8305/tcp
Apr 30 14:13:41 SF-IMS[19572]: [21259] sftunneld:sf_ssl [INFO] Wait to connect to 8305 (IPv6): 10.5.1.50
Apr 30 14:13:41 SF-IMS[19572]: [21259] sftunneld:sf_ssl [INFO] Connected to 10.5.1.50:8305 (IPv4)
Apr 30 14:13:41 SF-IMS[19572]: [21259] sftunneld:sf_ssl [INFO] Successfully connected using SSL to: '10.5.1.50'
Apr 30 14:13:41 SF-IMS[19572]: [21259] sftunneld:sf_ssl [WARN] Could not receive Message: Closed
Apr 30 14:13:41 SF-IMS[19572]: [21259] sftunneld:sf_ssl [WARN] VerifyConnect:Failed to authenticate or to be authenticated by peer '10.5.1.50'

It would appear I have an authentication issue - 'Failed to authenticate or to be authenticated by peer '10.5.1.50''

The define registration keys are correct at both ends

Any ideas?

Many thanks

michoudi · ‎05-03-2018

Are you doing any NAT between the FMC and ASA?

curtis03 · ‎05-04-2018

Hi michoudi

many thanks - no NAT between sensor and FMC

have had TAC look at this - they managed to add sensor, I didn't have a policy defined when adding device, had to create a 'network discovery' policy

i now have device added and licenses applied, but not getting any traffic received from sensor!

am i correct to assume by adding the sensor to FMC the ASA sfr will now automatically forward all traffic to FMC for inspection?

thanks

michoudi · ‎05-04-2018

Glad to hear TAC was able to help you get your sensor to the FMC.

Traffic never gets forwarded to the FMC for inspection. All inspection is done locally on the sensor based on what traffic you configure on the FMC to get inspected.

anthony.dorat · ‎11-06-2018

Hello,

Can you share the operation performed by the TAC to resolve this issue ?