Introduction
This document describes how to generate an FXOS troubleshoot file for 2100/4100/9300-series devices
Components Used
The information in this document is based on these software and hardware versions:
- Cisco Firepower 9300 Security Appliance running FXOS 2.3(1.58) and FTD 6.2.2
- Cisco Firepower 2100 Security Appliance running FTD 6.2.2
- SCP, SFTP, FTP, or TFTP server reachable from the management interface of the 2100 or 4100/9300 chassis
- There will be one tech-support file for 2100
- There will be three to five tech-support files for 4100/9300 (fprm, chassis, module 1, module 2, module 3)
FXOS troubleshoot file for 2100-series devices:
SSH to the 2100 device's management interface, and follow the steps below to generate an FXOS troubleshoot file:
Cisco Fire Linux OS v6.2.2 (build 11)
Cisco Firepower 2110 Threat Defense v6.2.2 (build 81)
> connect fxos
fpr2110#connect local-mgmt
fpr2110(local-mgmt)# show tech-support fprm detail
fpr2110(local-mgmt)# dir workspace:/techsupport/
Note: You will see the troubleshoot .tar.gz file just created in the above directory.
SCP the troubleshoot file from the 2100 to your PC/laptop which is running the SCP server software:
fpr2110 (local-mgmt)# copy workspace:/techsupport/20180319163904_fpr2110.cisco.com_FPRM.tar.gz scp://cisco@X.X.X.X
FXOS troubleshoot file for 4100-series or 9300-series devices:
SSH to the 4100 or 9300 device's management interface, and follow the steps below to generate the FXOS troubleshoot files:
fpr9300# connect local-mgmt
fpr9300(local-mgmt)# show tech-support fprm detail
fpr9300(local-mgmt)# show tech-support chassis 1 detail
fpr9300(local-mgmt)# show tech-support module 1 detail
fpr9300(local-mgmt)# dir workspace:/techsupport/
Note: You will see the 3 troubleshoot .tar.gz files (fprm, chassis, module) just created in the above directory.
SCP the troubleshoot files from the 4100/9300 to your PC/laptop which is running the SCP server software:
fpr9300(local-mgmt)# copy workspace:/techsupport/20180319163904_fpr9300.cisco.com_FPRM.tar.gz scp://cisco@X.X.X.X
fpr9300(local-mgmt)# copy workspace:/techsupport/20180319175334_fpr9300_BC1_all.tar scp://cisco@X.X.X.X
fpr9300(local-mgmt)# copy workspace:/techsupport/Firepower-Module1_03_19_2018_17_58_17.tar scp://cisco@X.X.X.X
Example:
Your PC/laptop (running SCP server software) is 192.168.1.50
Run SCP server software as Administrator in Windows
Under File >> Configure… >> Users >> create a user with username: cisco password: cisco in SCP server software:
Click Start to set it to ‘Running’:
SCP the troubleshoot file from the 4100/9300 to your PC/laptop which is running SCP server software:
fpr9300(local-mgmt)# copy workspace:/techsupport/20180319163904_fpr9300.cisco.com_FPRM.tar.gz scp://cisco@192.168.1.50
cisco@192.168.1.50's password: cisco
fpr9300(local-mgmt)# copy workspace:/techsupport/20180319175334_fpr9300_BC1_all.tar scp://cisco@192.168.1.50
cisco@192.168.1.50's password: cisco
fpr9300(local-mgmt)# copy workspace:/techsupport/Firepower-Module1_03_19_2018_17_58_17.tar scp://cisco@192.168.1.50
cisco@192.168.1.50's password: cisco
Upload FXOS troubleshoot file(s) to your Cisco TAC case using:
Cisco TAC may ask for an ASA show tech-support file or FTD troubleshoot file to be uploaded to your case in addition to the FXOS troubleshoot file:
How to generate ASA show tech-support:
How to generate FTD troubleshoot file:
Upload ASA show tech-support or FTD troubleshoot file to your Cisco TAC case using:
Troubleshoot
Ensure there is reachability from your 2100 or 4100/9300 to your PC/laptop running the SCP/FTP/SFTP/TFTP server software over ports 21 or 22, or 69 respectively:
fpr9300(local-mgmt)# ping 192.168.1.50
PING 192.168.1.50 (192.168.1.50) from X.X.X.X eth0: 56(84) bytes of data.
64 bytes from 192.168.1.50: icmp_seq=1 ttl=117 time=39.5 ms
64 bytes from 192.168.1.50: icmp_seq=2 ttl=117 time=37.5 ms
64 bytes from 192.168.1.50: icmp_seq=3 ttl=117 time=37.3 ms
Check that your 2100 or 4100/9300 has the correct management IP address, subnet, and gateway:
fpr9300(local-mgmt)# show mgmt-port
eth0 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
inet addr:192.168.1.50 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::xxxx:xxxx:xxxx:xxxx/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8179609 errors:0 dropped:0 overruns:0 frame:0
TX packets:1392314 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:818347475 (780.4 MiB) TX bytes:588519034 (561.2 MiB)
Make sure Windows Firewall is disabled on your PC/laptop so incoming SFTP/FTP (port 21 + 22) or SCP (port 22) or TFTP (port 69) are not blocked and traffic is not blocked between the PC and the 2100/4100/9300:
https://support.microsoft.com/en-us/help/4028544/windows-turn-windows-firewall-on-or-off
Initial setup of the FXOS chassis for management interface and other services (DNS, NTP, SSH, etc.) configuration can be found in the link below:
Related Information
All versions of the FXOS Chassis Manager and CLI configuration guides can be found here
https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/roadmap/fxos-roadmap.html#pgfId-121950
For all Configuration and Troubleshooting TechNotes that pertains to the Firepower technologies
https://www.cisco.com/c/en/us/support/security/defense-center/tsd-products-support-series-home.html
