cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1554
Views
0
Helpful
5
Replies

vFTD v6.6.0 Browser access to CLI capture

michael.taylor
Level 1
Level 1

Hello Fellow Networks,

 

I am encountering problems TCP:443 extracting a vFTD v 6.6.0 capture generated whilst in diagnostic-cli privileged EXEC Mode.  vFTD  http services have been stated allowing access from the appropriate subnet:

ngfw1# sho running-config http

http server enable

http 198.18.0.0 255.254.0.0 in10

 

The access control control policy also hosts a trust rule from my browser’s IP address that is accruing hits.; however, the browser reponds with an HTTP-404.  Wiresharking the browser session show that  interface in10  responds to every inbound syn with a RST ACK frame!  Is this an un-documented feature or have I missed a default platform constraint or access control policy advanced switch?

 

Methology taken from latest Cisco Firepower Threat Defense Command Reference page 27.  The browser URL is: https://198.19.10.1/admin/capture/<capture name>

 

Help and advice would be very gratefully received.

 

Thank you in anticipation

5 Replies 5

Marvin Rhoads
Hall of Fame
Hall of Fame

It appears you have it setup correctly.

Have you tried browsing the parent directory in the URL to see if you even get an empty listing?

Hello Marvin,

Thank you for getting involved.

Browsing parent folders attracts the same connection reset packet from interface in10!

I'd suggest opening a TAC case. It appears you're doing everything correctly.

Chakshu Piplani
Cisco Employee
Cisco Employee

You can check this document on now to take captures from lina (ASA):

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212474-working-with-firepower-threat-defense-f.html

 

A debug might give more insight:

debug http 255

 

You might want to use the following to extract captures.

firepower# copy /pcap capture:CAPI ftp://ftp_username:ftp_password@192.168.78.73/CAPI.pcap

 

HTH,

Chakshu

Please rate helpful posts.

Chakshu's URL indicates that Post-FMC v6.2 includes a new capture wizard; however, there is no mention of deprecating TCP:443 extraction of captures.  Agreed alternative workarounds to remote repository works OK; but my customer needs adhoc browser access from specific locations.  The following FTD CLI output is distinctly lacking in http content:

 

ngfw1# sh run http
http server enable
http 198.18.0.0 255.254.0.0 in10
ngfw1# sh logging
Syslog logging: disabled
Facility: 20
Timestamp logging: disabled
Hide Username logging: enabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level debugging, 4 messages logged
Trap logging: disabled
Permit-hostdown logging: enabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: disabled
FMC logging: list MANAGER_VPN_EVENT_LIST, 0 messages logged
%FTD-5-111008: User 'enable_1' executed the 'write memory' command.
%FTD-5-111010: User 'enable_1', running 'N/A' from IP 0.0.0.0, executed 'write memory'
%FTD-5-111008: User 'enable_15' executed the 'debug icmp trace' command.
%FTD-5-111008: User 'enable_15' executed the 'debug icmp trace' command.
ngfw1# sh debug
debug http enabled at level 255
debug http enabled at level 255 (persistent)
debug icmp trace enabled at level 1
debug icmp trace enabled at level 1 (persistent)
Debug fxos_parser off

Conditional debug filters:

Conditional debug features:

ngfw1# ICMP echo request from 198.19.10.50 to 198.19.10.1 ID=1 seq=22307 len=32
ICMP echo reply from 198.19.10.1 to 198.19.10.50 ID=1 seq=22307 len=32

ngfw1# ! ICMP from host with Firefox browser targetting
ngfw1# ! https://198.19.10.1/admin/capture/icmpcap
ngfw1#
ngfw1# ! Browser reports "Connection Timed out"; but no http logs!

 

Looks as though a TAC case beckons!

 

Review Cisco Networking for a $25 gift card