08-08-2017 08:20 AM - edited 03-12-2019 02:47 AM
I'm having trouble adding FTD to FMC. Originally I was managing FTD locally with FDM, but lack of features got me moving to FMC.
I ssh'd to FTD, and issues the command configure manager add <FMC IP> <Reg Key> and now it says 'pending'
I went on to FMC and added my FTD device with IP address and same reg key but it times out with error message "could not establish a connection with sensor. Make sure the registration keys match, that the software versions are compatible, and that the network is not blocking the connection".
I know reg keys are the same, there is no block in the firewall (can ping each other) and versions are compatible; FMC 6.2.0, FTD 6.2.0
I'm using one of the inside interfaces on the FTD to register, and management port is empty at the moment. There is no NAT device in-between, so not sure what I'm doing wrong. Does anyone have any idea what might be the cause?
Thanks in advance!
Solved! Go to Solution.
08-08-2017 08:26 AM
You must configure and use the management interface on your FTD sensor to register to the FMC.
08-08-2017 08:26 AM
You must configure and use the management interface on your FTD sensor to register to the FMC.
08-08-2017 08:40 AM
Thanks for the quick reply Marvin. so, I guess that was the reason..
To assign an IP on management port, should I just do it through FDM on Management1/1 (diagnostic) interface? I saw somewhere in the guide that says don't configure diagnostic interface.
08-08-2017 09:18 AM
You're welcome.
Physically it's the management interface. Logically it's the one known as "br1" for FTD cli shell (clish).
A very detailed explanation can be found here:
https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200868-Configuring-Firepower-Threat-Defense-FT.html
08-09-2017 04:41 PM
I'm still not sure what I should do in my scenario. I have 2 interfaces facing towards FMC server.
One is p2p interface which forwards all traffic to the other 'site', and the other is br1(management) interface that I just added in the same subnet.(diagram attached)
For br1 to communicate to FMC in the other subnet, should I create a static route from br1 interface to FMC server? (eg. configure network static-routes ipv4 add br1 10.5.225.75 255.255.255.255 192.168.100.1)
08-10-2017 11:45 AM
Nvm. called TAC and figured it out.
Basically, br1 interface didn't have a static route to FMC.
10-16-2024 08:48 PM
You can run configure-network command from expert mode to configure management IP-address and gateway.
> expert
> sudo su
password:
#configure-network
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide