11-19-2021 05:56 AM
Hello,
I am currently unable to add FTD into FMC, each attempt it comes out with error message host x.x.x.x is not reachable.
- FMC in Europe, FTD in China.
- The FMC ping successfully FTD and vice versa.
- I did configure network management-data-interface.
- Devices not behind NAT so this setting was skipped.
- The FMC has other FTD running without any issues.
> show managers
Host : x.x.x.x
Registration Key : ****
Registration : pending
RPC Status :
Type : Manager
Host : x.x.x.x
Registration : Pending
> sftunnel-status
SFTUNNEL Start Time: Fri Nov 19 07:59:07 2021
Both IPv4 and IPv6 connectivity is supported
Broadcast count = 0
Reserved SSL connections: 0
Management Interfaces: 2
br1 (control events) x.x.x.x,
Solved! Go to Solution.
11-19-2021 10:22 AM
After reviewing I have detected there was a NAT device on the path, despite being told that there isn't. Configuration where done accordingly. Now it works fine.
11-19-2021 06:06 AM
ping is not good enough, if FMC behind FW you need make sure the ports are opened between FTD and FMC
11-19-2021 06:09 AM
SFtunnel port 8305 is open. From documentation that should be the one opened.
11-19-2021 06:50 AM
Can you telnet using tcp 8305 in both directions? Both the FMC and managed device need to be able to initiate traffic.
Note China may be blocking the traffic. You can do a packet capture on your FMC to check if the incoming attempts are reaching it. Just use tcpdump from expert mode cli as root user and filter on the FTD host address in the capture.
11-19-2021 07:24 AM
ftd-1 SF-IMS[8257]: SF-RPC:RemoteRun [CRITICAL] Unauthorized RPC call:SF::PeerManager::getPeerInfoLocal from fmc.net role:nobody%0A
ftd-1 SF-IMS[24319]: [8256] sfmgr:rexecchild [INFO] Before setting the value to 2, patience = 9
ftd-1 SF-IMS[8313]: SF-RPC:RemoteRun [CRITICAL] Unauthorized RPC call:SF::PeerManager::getPeerInfoLocal from fmc.net role:nobody%0A
ftd-1 SF-IMS[24319]: [8312] sfmgr:rexecchild [INFO] Before setting the value to 2, patience = 9
ftd-1 SF-IMS[25430]: [25430] sfifd:sfifd [INFO] Default IPv4 gateway for 'br1' not configured.
ftd-1 SF-IMS[25430]: [25430] sfifd:sfifd [INFO] Adding default IPv4 gateway '1.1.1.1' for 'br1'.
ftd-1 SF-IMS[25430]: [25430] sfifd:sfifd [WARN] Command '/sbin/ip route add default via 1.1.1.1 dev br1' returned 512.
ftd-1 sudo:root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/pgrep -x snort
ftd-1 sudo:root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/pgrep -x sfhassd
ftd-1 SF-IMS[24318]: [24318] sftunneld:SYNC_PROC [INFO] Change in directory /ngfw/var/sf/sync detected (0 vs 1637287229)
ftd-1 SF-IMS[8502]: SF-RPC:RemoteRun [CRITICAL] Unauthorized RPC call:SF::PeerManager::getPeerInfoLocal from fmc.net role:nobody%0A
ftd-1 SF-IMS[24319]: [8501] sfmgr:rexecchild [INFO] Before setting the value to 2, patience = 9
ftd-1 SF-IMS[8544]: SF-RPC:RemoteRun [CRITICAL] Unauthorized RPC call:SF::PeerManager::getPeerInfoLocal from fmc.net role:nobody%0A
ftd-1 SF-IMS[24319]: [8543] sfmgr:rexecchild [INFO] Before setting the value to 2, patience = 9
11-19-2021 07:36 AM
ftd-1 SF-IMS[8257]: SF-RPC:RemoteRun [CRITICAL] Unauthorized RPC call:SF::PeerManager::getPeerInfoLocal from fmc.net role:nobody%0A
ftd-1 SF-IMS[24319]: [8256] sfmgr:rexecchild [INFO] Before setting the value to 2, patience = 9
ftd-1 SF-IMS[8313]: SF-RPC:RemoteRun [CRITICAL] Unauthorized RPC call:SF::PeerManager::getPeerInfoLocal from fmc.net role:nobody%0A
ftd-1 SF-IMS[25430]: [25430] sfifd:sfifd [INFO] Default IPv4 gateway for 'br1' not configured.
ftd-1 SF-IMS[25430]: [25430] sfifd:sfifd [INFO] Adding default IPv4 gateway '1.1.1.1' for 'br1'.
ftd-1 SF-IMS[25430]: [25430] sfifd:sfifd [WARN] Command '/sbin/ip route add default via 1.1.1.1 dev br1' returned 512.
ftd-1 sudo:root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/pgrep -x snort
ftd-1 sudo:root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/pgrep -x sfhassd
ftd-1 SF-IMS[24318]: [24318] sftunneld:SYNC_PROC [INFO] Change in directory /ngfw/var/sf/sync detected (0 vs 1637287229)
ftd-1 SF-IMS[8502]: SF-RPC:RemoteRun [CRITICAL] Unauthorized RPC call:SF::PeerManager::getPeerInfoLocal from fmc.net role:nobody%0A
ftd-1 SF-IMS[24319]: [8501] sfmgr:rexecchild [INFO] Before setting the value to 2, patience = 9
ftd-1 SF-IMS[8544]: SF-RPC:RemoteRun [CRITICAL] Unauthorized RPC call:SF::PeerManager::getPeerInfoLocal from fmc.net role:nobody%0A
11-19-2021 07:54 AM
From FTD to FMC:
admin@:~$ ssh 4.1.1.1 8305
Password:
From FMC to FTD:
root@:~# ssh 5.2.2.2 8305
ssh: connect to host 5.2.2.2 port 22: Connection timed out
Tried with ssh both directions it seems there is an issue from FMC to FTD.
11-19-2021 08:05 AM
From FMC to FTD: root@:~# ssh 5.2.2.2 8305 ssh: connect to host 5.2.2.2 port 22: Connection timed out Tried with ssh both directions it seems there is an issue from FMC to FTD.
Now you know where to look and fix the issue.
11-19-2021 10:22 AM
After reviewing I have detected there was a NAT device on the path, despite being told that there isn't. Configuration where done accordingly. Now it works fine.
11-23-2021 09:42 AM
Glad you able to resolve the issue, and thank you for sharing your feedback, we mark this as a solution now.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide