About Marvin Rhoads

Marvin Rhoads · ‎02-04-2019

For Disaster Recovery of Firepower Management Center you need to either: a. Use hardware appliances that support HA, or b. Do a backup/restore scheme outside the context of Firepower itself. If the subnet does not exist in the remote location, you won't be able to easily restore as device registration etc. will be broken. c. Manage the DR site appliances with an FMC at the DR site. (Of course this would not address any appliances at other sites.) Note that most features continue to work fine in the absence of the FMC.

Marvin Rhoads · ‎02-03-2019

As of release 6.3, FDM now supports high availability devices. https://www.cisco.com/c/en/us/td/docs/security/firepower/630/relnotes/firepower-release-notes-630/new_features.html#concept_D3A005FB2B0E45BBBDF5392C4D1DD138

Marvin Rhoads · ‎02-03-2019

Note that version 6.3 added the capability to backup managed FTD devices from FMC.

Marvin Rhoads · ‎02-01-2019

For a single named user, Oracle's current published cost is $2.50 per month. https://www.oracle.com/technetwork/java/javaseproducts/overview/javasesubscriptionfaq-4891443.html If strict compliance is a requirement in your environment, that would seem a relatively small price to pay. It would also be surprising if Cisco ASDM was the only application for which Java is required in your entire enterprise.

Marvin Rhoads · ‎02-01-2019

Can you share what you have so far as a running-config on the new device? Then show us what error you receive when trying to configure your nat statements.

Marvin Rhoads · ‎01-31-2019

Good to know @pcarco - thanks for jumping in on this one.

Marvin Rhoads · ‎01-31-2019

Ping uses the icmp protocol which is not inspected by default on Cisco ASA. If you add icmp inspection on your default class map it should work.

Marvin Rhoads · ‎01-30-2019

I asked Andrew Ossipov directly at Cisco Live Barcelona today. He told me that on an ASA 5585-X (non-Firepower), the single flow throughput limit is 3-4 Gbps (TCP) or 6-8 Gbps (UDP).

Marvin Rhoads · ‎01-28-2019

Only the base VPN module is currently supported for installation and associated profile push via FTD remote access VPN. This is true even with the current latest release 6.3: https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/firepower_threat_defense_remote_access_vpns.html#reference_xby_dml_wy

Marvin Rhoads · ‎01-28-2019

When an ASA 5500-X (except 5585-X) has a Firepower module it dynamically allocates half the physical memory at boot time to the service module. So you have 4 GB for ASA code and 4 GB for the Firepower service module in your case. The memory is not upgradable.

Marvin Rhoads · ‎01-28-2019

Are you using the Firepower module? If so, the limiting factor will be that a given flow (5-tuple) is tied to a single Snort process. A Snort process is limited to something like 500 Mbps per instance. https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/200420-Processing-of-Single-Stream-Large-Sessio.html#anc6

Marvin Rhoads · ‎01-27-2019

@Salman.Baig , Both @Marius Gunnerud and @balaji.bandi mentioned your ESXi configuration as a very likely cause of the issue but you have ignored their request to show that bit. Please check the vSwitch and share screenshots of its configuration. Be sure to verify that promiscuous mode is enabled for the vSwitch interfaces assigned to the FTDv appliance. Also note that when you ping from FTDv it will by default try to use the dataplane interface according to the routing table. to verify management plane connectivity use the "ping system" command. Also, your "show interface ip brief" will show the LINA (ASA code) section of the running configuration, not the interface that is assigned to the FTDv management interface.

Marvin Rhoads · ‎01-25-2019

It works fine here - although the rendering can be really hard to see for some of the controls. As @bhum11 noted, it's more a a Java thing than an ASDM issue per se.

Marvin Rhoads · ‎01-23-2019

Is the existing "Lan-to-Lan" a VPN connection? If so, and it's using IKEv1 IPsec , all you need is to define both the primary (x.x.x.x) backup peer (y.y.y.y) - e.g.: "set peer x.x.x.x y.y.y.y" to fall back to the second peer. If your needs aren't met by that, there is a more complex method described here: https://learningnetwork.cisco.com/blogs/vip-perspectives/2018/07/27/cisco-asa-site-to-site-vpn-failover

Marvin Rhoads · ‎01-22-2019

Also, you "ping system <IP>" vs. "ping <IP>" when initiating traffic from the FTD mgmt interface. Otherwise it will try to use the data interface (which one is according to the appliance's routing table).

Marvin Rhoads

The only way to avoid separate connection profiles and associated group policies would be to have so...

Marvin Rhoads

Your defined gateway is the ASA inside address. The laptop address is on the same subnet. Just point...

Marvin Rhoads

The Firepower appliances running FTD there is no Active/Active HA per se since that was a construct ...

Marvin Rhoads

ASDM should be reachable from any of the subnets specified in the "http x.x.x.x" commands. You remov...

Marvin Rhoads

Actually, if there's a published security advisory you may be eligible to get the patched software f...

Marvin Rhoads

Can the Ubuntu computer reach the module's IP address? Don't just use icmp (ping) to check but see i...

Marvin Rhoads

As I noted, "For all other models you can boot 6.3.0 img and install 6.3.0 pkg files." You can find ...

Marvin Rhoads

Yeah it's too bad your vendor wasn't able to give you better advice. Maybe it's time to consider usi...

Marvin Rhoads

If your asasfr module is on ASA 5506-x or ASA 5512-X, you cannot run anything past 6.2.x. So you wou...

Marvin Rhoads

The ASA 5506 is not yet discontinued. Only new Firepower Threat Defense and Firepower service module...

Marvin Rhoads

Sorry but locally managed FTD (with Firepower Device Manager) does not support proxy configuration a...

Marvin Rhoads

As of today, your ASA with FTD (or your FMC if you are using FMC management) must have either: a. di...

Marvin Rhoads

You're welcome. Please mark the reply as helpful if it helped.

Marvin Rhoads

It's still not supported as of the current FMC/FTD release 6.3 No mention of it was made during the ...

Marvin Rhoads

Your screenshot show you have synced with the external ntp server. FMC retains 127.127.1.1 (local cl...

Date Registered	‎06-28-2001 03:55 PM
Date Last Visited	‎02-14-2019 11:15 PM
Total Messages Posted	15,323
Total Helpful Votes Received	13829

Re: vMotion would be an option if

Re: ASA FTD 6.3 Management

Re: Backing up config, FTD and vFMC.

Re: Java SE subscription require for AS...

Re: migrating 5505 to 5506-X

Re: AnyConnect 4.7.00136 creates local ...

Re: cannot see the message in logging o...

Re: Cisco ASA/Firepower throughput per ...

Re: cisco FTD and SBL start before logo...

Re: Cisco ASA 5525-x memory

Re: Cisco ASA/Firepower throughput per ...

Re: FTD Firepower not working

Re: ASDM not able to run in 4k resoluti...

Re: Site-to-Site VPN as secondary route

Re: FTDv 6.3 Management Address Inconsi...

Re: FTD Remote Access VPN: Is it possible to apply split tunnel acl based on request ip?

Re: Cisco ASA 5510 and ASDM.

Re: Firepower 2100 HA differences Active/Active vs Active/Passive

Re: Cisco ASA 5510 and ASDM.

Re: Really basic question - Firmware for ASA5506 w/o contract

Re: Cannot load FirePOWER module on ASDM

Re: Fire power management center compatibility SFR module

Re: ASA 5506-X: "Module Firepower is not supported on this platform”

Re: Fire power management center compatibility SFR module

Re: ASA 5506-X: "Module Firepower is not supported on this platform”

Re: Cisco asa 5516 Firepower -unregistered

Re: Cisco asa 5516 Firepower -unregistered

Re: FMC : Managed Device Backup list empty !

Re: Cisco Umbrella Roaming Client & Anyconnect Integration via FMC/FTD

Re: Remove FMC NTP 127.127.1.1