cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
890
Views
0
Helpful
4
Replies

Unable to add powerfire to powersight

pgamage
Level 1
Level 1

I am trying to add ASA5508 to the firesight but failing.

show netstat displays established session with DNS server.

But with powersight, it is SYN_SENT

My powersight is in the inside interface.

show int ip br indicates the management 1/1 is in down/down state.

powerpower version 5.4.1

powersight version 6.0.0

> show netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State

tcp 0 1 172.16.222.24:50346 172.16.22.25:8305 SYN_SENT       < form firesight

udp 0 0 172.16.222.24:49151 172.16.22.32:53 ESTABLISHED     <with DNS server

I will post configs and other show outputs necessary.

Can somebody help me please?

show interface in the firepower module

System> show interfaces
----------------------[ eth0 ]----------------------
Physical Interface : eth0
Type : Management
Status : Enabled
MDI/MDIX : Auto
MTU : 1500
MAC Address : EC:BD:1D:5F:A8:38
IPv4 Address : 172.16.22.24

ASA# sh int ip br
Management1/1 unassigned YES unset down down

4 Replies 4

Aastha Bhardwaj
Cisco Employee
Cisco Employee

Hi,

You would definitely need to get the Management interface on ASA up and running because all the packets from SFR .

Check this : http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/sfr/firepower-qsg.html

Are yo able to ping the Firesight manager from SFR  and vice a versa ?

Regards,

Aastha Bhardwaj

Rate if that helps!!!

Thanks, Plugged a cable to the Management 0/0 and everythign started to work. I wrongly thought M0/0 is software only as my power power is a software module. 

Marvin Rhoads
Hall of Fame
Hall of Fame

I agree with Aastha's recommendations.

Also check the sfr module status from the ASA:

show module sfr details

Here's what a healthy module should look like:

ciscoasa# show module sfr details 
Getting details from the Service Module, please wait...
Card Type: FirePOWER Services Software Module
Model: ASA5506
Hardware version: N/A
Serial Number: JAD192903QT
Firmware version: N/A
Software version: 6.0.0-1005
MAC Address Range: 5897.bd27.8360 to 5897.bd27.8360
App. name: ASA FirePOWER
App. Status: Up
App. Status Desc: Normal Operation
App. version: 6.0.0-1005
Data Plane Status: Up
Console session: Ready
Status: Up
DC addr: 192.168.107.220
Mgmt IP addr: 10.0.128.21
Mgmt Network mask: 255.255.255.0
Mgmt Gateway: 10.0.128.1
Mgmt web ports: 443
Mgmt TLS enabled: true
ciscoasa#
ciscoasa# sh int ip br
Interface IP-Address OK? Method Status Protocol
Virtual0 127.1.0.1 YES unset up up
GigabitEthernet1/1 10.0.129.1 YES CONFIG up up
GigabitEthernet1/2 10.0.131.1 YES CONFIG up up
GigabitEthernet1/3 10.0.130.1 YES CONFIG up up
GigabitEthernet1/4 unassigned YES unset administratively down down
GigabitEthernet1/5 unassigned YES unset administratively down down
GigabitEthernet1/6 unassigned YES unset administratively down down
GigabitEthernet1/7 unassigned YES unset administratively down down
GigabitEthernet1/8 unassigned YES unset administratively down down
Internal-Control1/1 127.0.1.1 YES unset up up
Internal-Data1/1 unassigned YES unset up up
Internal-Data1/2 unassigned YES unset up up
Internal-Data1/3 unassigned YES unset up up
Management1/1 unassigned YES unset up up
ciscoasa# session sfr console
Opening console session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.

labsfr login: admin
Password:
Last login: Thu Dec 3 02:24:36 UTC 2015 on ttyS1
Copyright 2004-2015, Cisco and/or its affiliates. All rights reserved. 
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.
Cisco Fire Linux OS v6.0.0 (build 258)
Cisco ASA5506 v6.0.0 (build 1005)
> show netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.2.1:7000 127.0.1.1:1385 ESTABLISHED
tcp 0 0 10.0.128.21:57169 192.168.107.220:8305 ESTABLISHED
tcp 0 0 10.0.128.21:8305 192.168.107.220:55172 ESTABLISHED
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path

<snip>

>
> show interfaces
--------------------[ outside ]---------------------
Physical Interface : GigabitEthernet1/1
Type : ASA
Security Zone : Lab_ASA_Outside
Status : Enabled
Load Balancing Mode : N/A
---------------------[ inside ]---------------------
Physical Interface : GigabitEthernet1/2
Type ASA
Security Zone : Lab_ASA_Inside
Status : Enabled
Load Balancing Mode : N/A
----------------------[ dmz ]-----------------------
Physical Interface : GigabitEthernet1/3
Type : ASA
Security Zone Lab_ASA_DMZ
Status : Enabled
Load Balancing Mode : N/A
---------------------[ cplane ]---------------------
IPv4 Address : 127.0.2.1
----------------------[ eth0 ]----------------------
Physical Interface : eth0
Type : Management
Status : Enabled
MDI/MDIX : Auto
MTU : 1500
MAC Address : 58:97:BD:27:83:60
IPv4 Address : 10.0.128.21
----------------------[ tun1 ]----------------------
IPv6 Address : fdcc::bd:0:ffff:a9fe:1/64
---------------------[ tunl0 ]---------------------
----------------------------------------------------
> exit

labsfr login:
Escape Sequence detected
Console session with module sfr terminated.
ciscoasa#

All those 'back ground' checkings are really useful. This level of focus definetly lead to solution doent matter how complex it is. really appriciated.

Review Cisco Networking products for a $25 gift card