03-29-2017 06:14 AM - edited 03-12-2019 02:08 AM
Hello everyone
I'm currently encountering a problem which really bugs me...
I have a 5506-X running with the FTD image (6.2) and everything (as far as I can tell) looks well. Except for one thing; the Smart License registration. I always get a error message, telling me I need to check my internet connectivity (for the mangement interface). I am able to access the internet through the ASA, I can ping Google from the ASA CLI, updates are being downloaded and installed every other day...
I've tried "Use the Data Interfaces as the Gateway" and a unique gateway for the management interface, all with the same result..
I need help.. :-) I don't even know where to find logs...
Thanks!
Here's the full error msg:
The device was unable to connect to the Smart Licensing server. This might indicate a gateway problem for the management interface. Please select Evaluation Mode for now. Then, after completing setup, go to Device > System Settings > Management Interface and verify the management address and gateway configuration. There must be a path from the management IP address to the Internet to complete Smart License registration. You can then go to Device > Smart License and try registering again.
03-29-2017 08:19 AM
Does the 5506-X MANAGEMENT interface have internet access? Simply reaching the Internet from the ASA isn't enough as that will normally use the outside interface.
03-29-2017 10:35 AM
well the mgmt interface isnt cabled if you mean that. as far as i understood this is not necessary?
i ve tried both options, routing the mgmt interface through the inside interface (i dont remember the actual wording on this one, its the option where i dont have to configure anything else) and i ve tried pointing it to the next hop directly, both with the same result - no connectivity.
when i entered the gateway for the mgmt interface manually, i pointed it to the "outside next hop", maybe i should try to point it to the inside interface of the asa itself?
03-29-2017 01:45 PM
Get your management interface into the same VLAN as your inside interface. Assign an ip address to it and set the gateway for your management interface to your inside interface.
This should do the trick.
03-29-2017 11:47 PM
Just did that.. and no trick done.. :-(
Management interface is now on the same VLAN as the inside interface. LAN connectivity is present. I've tried with "use data interface as gateway" and entering the gateway (IP of inside interface) manually. Always the same result; not able to contact the Smart Licensing server...
03-30-2017 12:16 AM
If you can, please share the output of "show network" from the FTD cli shell.
Is the DNS server that you have setup on the management interface reachable?
03-30-2017 12:40 AM
DNS server is reachable and seems to be working correctly.. Here you go:
> show network
===============[ System Information ]===============
Hostname : <cut>
DNS Servers : 195.186.4.162
195.186.1.162
Management port : 8305
IPv4 Default route
Gateway : 192.168.100.1
======================[ br1 ]=======================
State : Enabled
Channels : Management & Events
Mode : Non-Autonegotiation
MDI/MDIX : Auto/MDIX
MTU : 1500
MAC Address : 00:6B:F1:78:B7:03
----------------------[ IPv4 ]----------------------
Configuration : Manual
Address : 192.168.100.254
Netmask : 255.255.255.0
Broadcast : 192.168.100.255
----------------------[ IPv6 ]----------------------
Configuration : Disabled
===============[ Proxy Information ]================
State : Disabled
Authentication : Disabled
03-30-2017 01:01 AM
That all seems OK.
Have you included the 192.168.1.0/24 subnet in your NAT rules?
03-30-2017 01:14 AM
Did you mean 192.168.100.0/24?
I've noticed, that I only had the inside interface in my NAT rule. I changed that to "any" interface (with the 192.168.100.0/24 network), but nothing changed....
03-30-2017 01:24 AM
Yes - sorry I did mean 192.168.100.0/24.
It seems everything is in order.
Is it possible to open a TAC case or is this a lab / NFR device without support?
03-30-2017 01:41 AM
Yes it is a lab device... is there any more detailed log I can look at? Since the "expert"-mode on CLI looks very Linux-ish, so I thought there has to be some log file hidden somewhere?
Well, since it is just a lab device and the config is done in like 15 minutes, I guess I'll save some time to factory reset the whole thing the next few days...
03-30-2017 01:44 AM
Given that it's 6.2, you should be able to use packet-tracer on it.
The syntax is pretty much the same as on the classic ASA code:
http://www.cisco.com/c/en/us/td/docs/security/firepower/command_ref/b_Command_Reference_for_Firepower_Threat_Defense/dr.html#wp1842444451
03-30-2017 02:00 AM
Thanks, I totally forgot about packet-tracer being back.. :-)
And of course, packet-tracer is telling me, there is no route:
> packet-tracer input diagnostic udp 192.168.100.254 12312 8.8.8.8 53
Result:
input-interface: diagnostic
input-status: up
input-line-status: up
Action: drop
Drop-reason: (no-route) No route to host
A trace from the inside interface finds it's way to the internet...
I've added a screenshot of the mgmt interface config but of course, there is not much to it... I've also tried it with a manual gateway (IP of the inside interface) but this gives me the same packet-tracer output
03-30-2017 02:05 AM
I would expect the input interface to be "inside" unless you have named it something different.
03-30-2017 02:17 AM
Well, the mgmt interface's logical name is diagnostic? I can run packet-tracer from the inside interface (same if I just enter "inside" rather than the sub interface):
> packet-tracer input inside_vlan_900 udp 192.168.100.254 12312 8.8.8.8 53
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 83.173.235.245 using egress ifc outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced trust ip ifc inside_vlan_900 any ifc outside any rule-id 268435457 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 268435457: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435457: L5 RULE: Inside_Outside_Rule
Additional Information:
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (any,outside) source dynamic obj_net_192.168.100.0 interface
Additional Information:
Dynamic translate 192.168.100.254/12312 to 83.173.235.246/12312
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
service-policy global_policy global
Additional Information:
Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (any,outside) source dynamic obj_net_192.168.100.0 interface
Additional Information:
Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 509, packet dispatched to next module
Result:
input-interface: inside_vlan_900
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (inspect-dns-invalid-pak) DNS Inspect invalid packet
>
>
> packet-tracer input management udp 192.168.100.254 12312 8.8.8.8 53
packet-tracer input management udp 192.168.100.254 12312 8.8.8.8 53
^
ERROR: % Invalid input detected at '^' marker.
> packet-tracer input diagnostic udp 192.168.100.254 12312 8.8.8.8 53
Result:
input-interface: diagnostic
input-status: up
input-line-status: up
Action: drop
Drop-reason: (no-route) No route to host
>
> packet-tracer input diagnostic udp 192.168.100.254 12312 8.8.8.8 53
Result:
input-interface: diagnostic
input-status: up
input-line-status: up
Action: drop
Drop-reason: (no-route) No route to host
> packet-tracer input inside_vlan_900 udp 192.168.100.254 12312 8.8.8.8 53
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 83.173.235.245 using egress ifc outside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced trust ip ifc inside_vlan_900 any ifc outside any rule-id 268435457 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 268435457: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435457: L5 RULE: Inside_Outside_Rule
Additional Information:
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (any,outside) source dynamic obj_net_192.168.100.0 interface
Additional Information:
Dynamic translate 192.168.100.254/12312 to 83.173.235.246/12312
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
service-policy global_policy global
Additional Information:
Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (any,outside) source dynamic obj_net_192.168.100.0 interface
Additional Information:
Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 669, packet dispatched to next module
Result:
input-interface: inside_vlan_900
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (inspect-dns-invalid-pak) DNS Inspect invalid packet
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide