FTD Registration Problem

ammann9113 · ‎03-29-2017

Hello everyone

I'm currently encountering a problem which really bugs me...

I have a 5506-X running with the FTD image (6.2) and everything (as far as I can tell) looks well. Except for one thing; the Smart License registration. I always get a error message, telling me I need to check my internet connectivity (for the mangement interface). I am able to access the internet through the ASA, I can ping Google from the ASA CLI, updates are being downloaded and installed every other day...

I've tried "Use the Data Interfaces as the Gateway" and a unique gateway for the management interface, all with the same result..

I need help.. :-) I don't even know where to find logs...

Thanks!

Here's the full error msg:

The device was unable to connect to the Smart Licensing server. This might indicate a gateway problem for the management interface. Please select Evaluation Mode for now. Then, after completing setup, go to Device > System Settings > Management Interface and verify the management address and gateway configuration. There must be a path from the management IP address to the Internet to complete Smart License registration. You can then go to Device > Smart License and try registering again.

Marvin Rhoads · ‎03-29-2017

Does the 5506-X MANAGEMENT interface have internet access? Simply reaching the Internet from the ASA isn't enough as that will normally use the outside interface.

ammann9113 · ‎03-29-2017

well the mgmt interface isnt cabled if you mean that. as far as i understood this is not necessary?

i ve tried both options, routing the mgmt interface through the inside interface (i dont remember the actual wording on this one, its the option where i dont have to configure anything else) and i ve tried pointing it to the next hop directly, both with the same result - no connectivity.

when i entered the gateway for the mgmt interface manually, i pointed it to the "outside next hop", maybe i should try to point it to the inside interface of the asa itself?

Oliver Kaiser · ‎03-29-2017

Get your management interface into the same VLAN as your inside interface. Assign an ip address to it and set the gateway for your management interface to your inside interface.

This should do the trick.

ammann9113 · ‎03-29-2017

Just did that.. and no trick done.. :-(

Management interface is now on the same VLAN as the inside interface. LAN connectivity is present. I've tried with "use data interface as gateway" and entering the gateway (IP of inside interface) manually. Always the same result; not able to contact the Smart Licensing server...

Marvin Rhoads · ‎03-30-2017

If you can, please share the output of "show network" from the FTD cli shell.

Is the DNS server that you have setup on the management interface reachable?

ammann9113 · ‎03-30-2017

DNS server is reachable and seems to be working correctly.. Here you go:

> show network
===============[ System Information ]===============
Hostname : <cut>
DNS Servers : 195.186.4.162
195.186.1.162
Management port : 8305
IPv4 Default route
Gateway : 192.168.100.1

======================[ br1 ]=======================
State : Enabled
Channels : Management & Events
Mode : Non-Autonegotiation
MDI/MDIX : Auto/MDIX
MTU : 1500
MAC Address : 00:6B:F1:78:B7:03
----------------------[ IPv4 ]----------------------
Configuration : Manual
Address : 192.168.100.254
Netmask : 255.255.255.0
Broadcast : 192.168.100.255
----------------------[ IPv6 ]----------------------
Configuration : Disabled

===============[ Proxy Information ]================
State : Disabled
Authentication : Disabled

Marvin Rhoads · ‎03-30-2017

That all seems OK.

Have you included the 192.168.1.0/24 subnet in your NAT rules?

ammann9113 · ‎03-30-2017

Did you mean 192.168.100.0/24?

I've noticed, that I only had the inside interface in my NAT rule. I changed that to "any" interface (with the 192.168.100.0/24 network), but nothing changed....

Marvin Rhoads · ‎03-30-2017

Yes - sorry I did mean 192.168.100.0/24.

It seems everything is in order.

Is it possible to open a TAC case or is this a lab / NFR device without support?

ammann9113 · ‎03-30-2017

Yes it is a lab device... is there any more detailed log I can look at? Since the "expert"-mode on CLI looks very Linux-ish, so I thought there has to be some log file hidden somewhere?

Well, since it is just a lab device and the config is done in like 15 minutes, I guess I'll save some time to factory reset the whole thing the next few days...

Marvin Rhoads · ‎03-30-2017

Given that it's 6.2, you should be able to use packet-tracer on it.

The syntax is pretty much the same as on the classic ASA code:

http://www.cisco.com/c/en/us/td/docs/security/firepower/command_ref/b_Command_Reference_for_Firepower_Threat_Defense/dr.html#wp1842444451

ammann9113 · ‎03-30-2017

Thanks, I totally forgot about packet-tracer being back.. :-)

And of course, packet-tracer is telling me, there is no route:

> packet-tracer input diagnostic udp 192.168.100.254 12312 8.8.8.8 53

Result:
input-interface: diagnostic
input-status: up
input-line-status: up
Action: drop
Drop-reason: (no-route) No route to host

A trace from the inside interface finds it's way to the internet...

I've added a screenshot of the mgmt interface config but of course, there is not much to it... I've also tried it with a manual gateway (IP of the inside interface) but this gives me the same packet-tracer output

Marvin Rhoads · ‎03-30-2017

I would expect the input interface to be "inside" unless you have named it something different.

ammann9113 · ‎03-30-2017

Well, the mgmt interface's logical name is diagnostic? I can run packet-tracer from the inside interface (same if I just enter "inside" rather than the sub interface):

> packet-tracer input inside_vlan_900 udp 192.168.100.254 12312 8.8.8.8 53

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 83.173.235.245 using egress ifc outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced trust ip ifc inside_vlan_900 any ifc outside any rule-id 268435457 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 268435457: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435457: L5 RULE: Inside_Outside_Rule
Additional Information:

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (any,outside) source dynamic obj_net_192.168.100.0 interface
Additional Information:
Dynamic translate 192.168.100.254/12312 to 83.173.235.246/12312

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
service-policy global_policy global
Additional Information:

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (any,outside) source dynamic obj_net_192.168.100.0 interface
Additional Information:

Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 509, packet dispatched to next module

Result:
input-interface: inside_vlan_900
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (inspect-dns-invalid-pak) DNS Inspect invalid packet

>
>
> packet-tracer input management udp 192.168.100.254 12312 8.8.8.8 53

packet-tracer input management udp 192.168.100.254 12312 8.8.8.8 53
^
ERROR: % Invalid input detected at '^' marker.
> packet-tracer input diagnostic udp 192.168.100.254 12312 8.8.8.8 53

Result:
input-interface: diagnostic
input-status: up
input-line-status: up
Action: drop
Drop-reason: (no-route) No route to host

>
> packet-tracer input diagnostic udp 192.168.100.254 12312 8.8.8.8 53

Result:
input-interface: diagnostic
input-status: up
input-line-status: up
Action: drop
Drop-reason: (no-route) No route to host

> packet-tracer input inside_vlan_900 udp 192.168.100.254 12312 8.8.8.8 53

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 83.173.235.245 using egress ifc outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced trust ip ifc inside_vlan_900 any ifc outside any rule-id 268435457 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 268435457: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435457: L5 RULE: Inside_Outside_Rule
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (any,outside) source dynamic obj_net_192.168.100.0 interface
Additional Information:
Dynamic translate 192.168.100.254/12312 to 83.173.235.246/12312

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
service-policy global_policy global
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (any,outside) source dynamic obj_net_192.168.100.0 interface
Additional Information:

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 669, packet dispatched to next module

Result:
input-interface: inside_vlan_900
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (inspect-dns-invalid-pak) DNS Inspect invalid packet