Solved: Re: Unable to add FTD into FMC

BmfL · ‎11-19-2021

Hello,

I am currently unable to add FTD into FMC, each attempt it comes out with error message host x.x.x.x is not reachable.

- FMC in Europe, FTD in China.

- The FMC ping successfully FTD and vice versa.

- I did configure network management-data-interface.

- Devices not behind NAT so this setting was skipped.

- The FMC has other FTD running without any issues.

> show managers
Host : x.x.x.x
Registration Key : ****
Registration : pending
RPC Status :
Type : Manager
Host : x.x.x.x
Registration : Pending

> sftunnel-status

SFTUNNEL Start Time: Fri Nov 19 07:59:07 2021

Both IPv4 and IPv6 connectivity is supported
Broadcast count = 0
Reserved SSL connections: 0
Management Interfaces: 2
br1 (control events) x.x.x.x,

BmfL · ‎11-19-2021

After reviewing I have detected there was a NAT device on the path, despite being told that there isn't. Configuration where done accordingly. Now it works fine.

View solution in original post

balaji.bandi · ‎11-19-2021

ping is not good enough, if FMC behind FW you need make sure the ports are opened between FTD and FMC

https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Security__Internet_Access__and_Communication_Ports.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

BmfL · ‎11-19-2021

SFtunnel port 8305 is open. From documentation that should be the one opened.

Marvin Rhoads · ‎11-19-2021

Can you telnet using tcp 8305 in both directions? Both the FMC and managed device need to be able to initiate traffic.

Note China may be blocking the traffic. You can do a packet capture on your FMC to check if the incoming attempts are reaching it. Just use tcpdump from expert mode cli as root user and filter on the FTD host address in the capture.

BmfL · ‎11-19-2021

ftd-1 SF-IMS[8257]: SF-RPC:RemoteRun [CRITICAL] Unauthorized RPC call:SF::PeerManager::getPeerInfoLocal from fmc.net role:nobody%0A
ftd-1 SF-IMS[24319]: [8256] sfmgr:rexecchild [INFO] Before setting the value to 2, patience = 9
ftd-1 SF-IMS[8313]: SF-RPC:RemoteRun [CRITICAL] Unauthorized RPC call:SF::PeerManager::getPeerInfoLocal from fmc.net role:nobody%0A
ftd-1 SF-IMS[24319]: [8312] sfmgr:rexecchild [INFO] Before setting the value to 2, patience = 9
ftd-1 SF-IMS[25430]: [25430] sfifd:sfifd [INFO] Default IPv4 gateway for 'br1' not configured.
ftd-1 SF-IMS[25430]: [25430] sfifd:sfifd [INFO] Adding default IPv4 gateway '1.1.1.1' for 'br1'.
ftd-1 SF-IMS[25430]: [25430] sfifd:sfifd [WARN] Command '/sbin/ip route add default via 1.1.1.1 dev br1' returned 512.
ftd-1 sudo:root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/pgrep -x snort
ftd-1 sudo:root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/pgrep -x sfhassd
ftd-1 SF-IMS[24318]: [24318] sftunneld:SYNC_PROC [INFO] Change in directory /ngfw/var/sf/sync detected (0 vs 1637287229)
ftd-1 SF-IMS[8502]: SF-RPC:RemoteRun [CRITICAL] Unauthorized RPC call:SF::PeerManager::getPeerInfoLocal from fmc.net role:nobody%0A
ftd-1 SF-IMS[24319]: [8501] sfmgr:rexecchild [INFO] Before setting the value to 2, patience = 9
ftd-1 SF-IMS[8544]: SF-RPC:RemoteRun [CRITICAL] Unauthorized RPC call:SF::PeerManager::getPeerInfoLocal from fmc.net role:nobody%0A
ftd-1 SF-IMS[24319]: [8543] sfmgr:rexecchild [INFO] Before setting the value to 2, patience = 9

BmfL · ‎11-19-2021

ftd-1 SF-IMS[8257]: SF-RPC:RemoteRun [CRITICAL] Unauthorized RPC call:SF::PeerManager::getPeerInfoLocal from fmc.net role:nobody%0A
ftd-1 SF-IMS[24319]: [8256] sfmgr:rexecchild [INFO] Before setting the value to 2, patience = 9
ftd-1 SF-IMS[8313]: SF-RPC:RemoteRun [CRITICAL] Unauthorized RPC call:SF::PeerManager::getPeerInfoLocal from fmc.net role:nobody%0A
ftd-1 SF-IMS[25430]: [25430] sfifd:sfifd [INFO] Default IPv4 gateway for 'br1' not configured.
ftd-1 SF-IMS[25430]: [25430] sfifd:sfifd [INFO] Adding default IPv4 gateway '1.1.1.1' for 'br1'.
ftd-1 SF-IMS[25430]: [25430] sfifd:sfifd [WARN] Command '/sbin/ip route add default via 1.1.1.1 dev br1' returned 512.
ftd-1 sudo:root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/pgrep -x snort
ftd-1 sudo:root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/pgrep -x sfhassd
ftd-1 SF-IMS[24318]: [24318] sftunneld:SYNC_PROC [INFO] Change in directory /ngfw/var/sf/sync detected (0 vs 1637287229)
ftd-1 SF-IMS[8502]: SF-RPC:RemoteRun [CRITICAL] Unauthorized RPC call:SF::PeerManager::getPeerInfoLocal from fmc.net role:nobody%0A
ftd-1 SF-IMS[24319]: [8501] sfmgr:rexecchild [INFO] Before setting the value to 2, patience = 9
ftd-1 SF-IMS[8544]: SF-RPC:RemoteRun [CRITICAL] Unauthorized RPC call:SF::PeerManager::getPeerInfoLocal from fmc.net role:nobody%0A

BmfL · ‎11-19-2021

From FTD to FMC:
admin@:~$ ssh 4.1.1.1 8305
Password:

From FMC to FTD:
root@:~# ssh 5.2.2.2 8305

ssh: connect to host 5.2.2.2 port 22: Connection timed out

Tried with ssh both directions it seems there is an issue from FMC to FTD.

balaji.bandi · ‎11-19-2021

From FMC to FTD:
root@:~# ssh 5.2.2.2 8305

ssh: connect to host 5.2.2.2 port 22: Connection timed out


Tried with ssh both directions it seems there is an issue from FMC to FTD.

Now you know where to look and fix the issue.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

BmfL · ‎11-19-2021

After reviewing I have detected there was a NAT device on the path, despite being told that there isn't. Configuration where done accordingly. Now it works fine.

balaji.bandi · ‎11-23-2021

Glad you able to resolve the issue, and thank you for sharing your feedback, we mark this as a solution now.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help