cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
826
Views
0
Helpful
4
Replies

Unable to add powerfire to powersight

pgamage
Level 1
Level 1

I am trying to add ASA5508 to the firesight but failing.

show netstat displays established session with DNS server.

But with powersight, it is SYN_SENT

My powersight is in the inside interface.

show int ip br indicates the management 1/1 is in down/down state.

powerpower version 5.4.1

powersight version 6.0.0

> show netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State

tcp 0 1 172.16.222.24:50346 172.16.22.25:8305 SYN_SENT       < form firesight

udp 0 0 172.16.222.24:49151 172.16.22.32:53 ESTABLISHED     <with DNS server

I will post configs and other show outputs necessary.

Can somebody help me please?

show interface in the firepower module

System> show interfaces
----------------------[ eth0 ]----------------------
Physical Interface : eth0
Type : Management
Status : Enabled
MDI/MDIX : Auto
MTU : 1500
MAC Address : EC:BD:1D:5F:A8:38
IPv4 Address : 172.16.22.24

ASA# sh int ip br
Management1/1 unassigned YES unset down down

4 Replies 4

Aastha Bhardwaj
Cisco Employee
Cisco Employee

Hi,

You would definitely need to get the Management interface on ASA up and running because all the packets from SFR .

Check this : http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/sfr/firepower-qsg.html

Are yo able to ping the Firesight manager from SFR  and vice a versa ?

Regards,

Aastha Bhardwaj

Rate if that helps!!!

Thanks, Plugged a cable to the Management 0/0 and everythign started to work. I wrongly thought M0/0 is software only as my power power is a software module. 

Marvin Rhoads
Hall of Fame
Hall of Fame

I agree with Aastha's recommendations.

Also check the sfr module status from the ASA:

show module sfr details

Here's what a healthy module should look like:

ciscoasa# show module sfr details 
Getting details from the Service Module, please wait...
Card Type: FirePOWER Services Software Module
Model: ASA5506
Hardware version: N/A
Serial Number: JAD192903QT
Firmware version: N/A
Software version: 6.0.0-1005
MAC Address Range: 5897.bd27.8360 to 5897.bd27.8360
App. name: ASA FirePOWER
App. Status: Up
App. Status Desc: Normal Operation
App. version: 6.0.0-1005
Data Plane Status: Up
Console session: Ready
Status: Up
DC addr: 192.168.107.220
Mgmt IP addr: 10.0.128.21
Mgmt Network mask: 255.255.255.0
Mgmt Gateway: 10.0.128.1
Mgmt web ports: 443
Mgmt TLS enabled: true
ciscoasa#
ciscoasa# sh int ip br
Interface IP-Address OK? Method Status Protocol
Virtual0 127.1.0.1 YES unset up up
GigabitEthernet1/1 10.0.129.1 YES CONFIG up up
GigabitEthernet1/2 10.0.131.1 YES CONFIG up up
GigabitEthernet1/3 10.0.130.1 YES CONFIG up up
GigabitEthernet1/4 unassigned YES unset administratively down down
GigabitEthernet1/5 unassigned YES unset administratively down down
GigabitEthernet1/6 unassigned YES unset administratively down down
GigabitEthernet1/7 unassigned YES unset administratively down down
GigabitEthernet1/8 unassigned YES unset administratively down down
Internal-Control1/1 127.0.1.1 YES unset up up
Internal-Data1/1 unassigned YES unset up up
Internal-Data1/2 unassigned YES unset up up
Internal-Data1/3 unassigned YES unset up up
Management1/1 unassigned YES unset up up
ciscoasa# session sfr console
Opening console session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.

labsfr login: admin
Password:
Last login: Thu Dec 3 02:24:36 UTC 2015 on ttyS1
Copyright 2004-2015, Cisco and/or its affiliates. All rights reserved. 
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.
Cisco Fire Linux OS v6.0.0 (build 258)
Cisco ASA5506 v6.0.0 (build 1005)
> show netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.2.1:7000 127.0.1.1:1385 ESTABLISHED
tcp 0 0 10.0.128.21:57169 192.168.107.220:8305 ESTABLISHED
tcp 0 0 10.0.128.21:8305 192.168.107.220:55172 ESTABLISHED
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path

<snip>

>
> show interfaces
--------------------[ outside ]---------------------
Physical Interface : GigabitEthernet1/1
Type : ASA
Security Zone : Lab_ASA_Outside
Status : Enabled
Load Balancing Mode : N/A
---------------------[ inside ]---------------------
Physical Interface : GigabitEthernet1/2
Type ASA
Security Zone : Lab_ASA_Inside
Status : Enabled
Load Balancing Mode : N/A
----------------------[ dmz ]-----------------------
Physical Interface : GigabitEthernet1/3
Type : ASA
Security Zone Lab_ASA_DMZ
Status : Enabled
Load Balancing Mode : N/A
---------------------[ cplane ]---------------------
IPv4 Address : 127.0.2.1
----------------------[ eth0 ]----------------------
Physical Interface : eth0
Type : Management
Status : Enabled
MDI/MDIX : Auto
MTU : 1500
MAC Address : 58:97:BD:27:83:60
IPv4 Address : 10.0.128.21
----------------------[ tun1 ]----------------------
IPv6 Address : fdcc::bd:0:ffff:a9fe:1/64
---------------------[ tunl0 ]---------------------
----------------------------------------------------
> exit

labsfr login:
Escape Sequence detected
Console session with module sfr terminated.
ciscoasa#

All those 'back ground' checkings are really useful. This level of focus definetly lead to solution doent matter how complex it is. really appriciated.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: