Re: vFTD v6.6.0 Browser access to CLI capture

michael.taylor · ‎06-11-2020

Hello Fellow Networks,

I am encountering problems TCP:443 extracting a vFTD v 6.6.0 capture generated whilst in diagnostic-cli privileged EXEC Mode. vFTD http services have been stated allowing access from the appropriate subnet:

ngfw1# sho running-config http

http server enable

http 198.18.0.0 255.254.0.0 in10

The access control control policy also hosts a trust rule from my browser’s IP address that is accruing hits.; however, the browser reponds with an HTTP-404. Wiresharking the browser session show that interface in10 responds to every inbound syn with a RST ACK frame! Is this an un-documented feature or have I missed a default platform constraint or access control policy advanced switch?

Methology taken from latest Cisco Firepower Threat Defense Command Reference page 27. The browser URL is: https://198.19.10.1/admin/capture/<capture name>

Help and advice would be very gratefully received.

Thank you in anticipation

Marvin Rhoads · ‎06-11-2020

It appears you have it setup correctly.

Have you tried browsing the parent directory in the URL to see if you even get an empty listing?

michael.taylor · ‎06-11-2020

Hello Marvin,

Thank you for getting involved.

Browsing parent folders attracts the same connection reset packet from interface in10!

Marvin Rhoads · ‎06-11-2020

I'd suggest opening a TAC case. It appears you're doing everything correctly.

Chakshu Piplani · ‎06-12-2020

You can check this document on now to take captures from lina (ASA):

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212474-working-with-firepower-threat-defense-f.html

A debug might give more insight:

debug http 255

You might want to use the following to extract captures.

firepower# copy /pcap capture:CAPI ftp://ftp_username:ftp_password@192.168.78.73/CAPI.pcap

HTH,

Chakshu

Please rate helpful posts.

michael.taylor · ‎06-12-2020

Chakshu's URL indicates that Post-FMC v6.2 includes a new capture wizard; however, there is no mention of deprecating TCP:443 extraction of captures. Agreed alternative workarounds to remote repository works OK; but my customer needs adhoc browser access from specific locations. The following FTD CLI output is distinctly lacking in http content:

ngfw1# sh run http
http server enable
http 198.18.0.0 255.254.0.0 in10
ngfw1# sh logging
Syslog logging: disabled
Facility: 20
Timestamp logging: disabled
Hide Username logging: enabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level debugging, 4 messages logged
Trap logging: disabled
Permit-hostdown logging: enabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: disabled
FMC logging: list MANAGER_VPN_EVENT_LIST, 0 messages logged
%FTD-5-111008: User 'enable_1' executed the 'write memory' command.
%FTD-5-111010: User 'enable_1', running 'N/A' from IP 0.0.0.0, executed 'write memory'
%FTD-5-111008: User 'enable_15' executed the 'debug icmp trace' command.
%FTD-5-111008: User 'enable_15' executed the 'debug icmp trace' command.
ngfw1# sh debug
debug http enabled at level 255
debug http enabled at level 255 (persistent)
debug icmp trace enabled at level 1
debug icmp trace enabled at level 1 (persistent)
Debug fxos_parser off

Conditional debug filters:

Conditional debug features:

ngfw1# ICMP echo request from 198.19.10.50 to 198.19.10.1 ID=1 seq=22307 len=32
ICMP echo reply from 198.19.10.1 to 198.19.10.50 ID=1 seq=22307 len=32

ngfw1# ! ICMP from host with Firefox browser targetting
ngfw1# ! https://198.19.10.1/admin/capture/icmpcap
ngfw1#
ngfw1# ! Browser reports "Connection Timed out"; but no http logs!

Looks as though a TAC case beckons!