Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

How to generate FXOS troubleshoot file on 2100/4100/9300-series Firepower NGFW appliances

Introduction

This document describes how to generate an FXOS troubleshoot file for 2100/4100/9300-series devices

Components Used

The information in this document is based on these software and hardware versions:

  • Cisco Firepower 9300 Security Appliance running FXOS 2.3(1.58) and FTD 6.2.2
  • Cisco Firepower 2100 Security Appliance running FTD 6.2.2
  • SCP, SFTP, FTP, or TFTP server reachable from the management interface of the 2100 or 4100/9300 chassis
  • There will be one tech-support file for 2100
  • There will be three to five tech-support files for 4100/9300 (fprm, chassis, module 1, module 2, module 3)

 

FXOS troubleshoot file for 2100-series devices:

SSH to the 2100 device's management interface, and follow the steps below to generate an FXOS troubleshoot file:

Cisco Fire Linux OS v6.2.2 (build 11)
Cisco Firepower 2110 Threat Defense v6.2.2 (build 81)

> connect fxos
fpr2110#connect local-mgmt
fpr2110(local-mgmt)# show tech-support fprm detail
fpr2110(local-mgmt)# dir workspace:/techsupport/

Note: You will see the troubleshoot .tar.gz file just created in the above directory.

SCP the troubleshoot file from the 2100 to your PC/laptop which is running the SCP server software:

fpr2110 (local-mgmt)# copy workspace:/techsupport/20180319163904_fpr2110.cisco.com_FPRM.tar.gz scp://cisco@X.X.X.X

 

FXOS troubleshoot file for 4100-series or 9300-series devices:

SSH to the 4100 or 9300 device's management interface, and follow the steps below to generate the FXOS troubleshoot files:

fpr9300# connect local-mgmt
fpr9300(local-mgmt)# show tech-support fprm detail
fpr9300(local-mgmt)# show tech-support chassis 1 detail
fpr9300(local-mgmt)# show tech-support module 1 detail
fpr9300(local-mgmt)# dir workspace:/techsupport/

Note: You will see the 3 troubleshoot .tar.gz files (fprm, chassis, module) just created in the above directory.

SCP the troubleshoot files from the 4100/9300 to your PC/laptop which is running the SCP server software:

fpr9300(local-mgmt)# copy workspace:/techsupport/20180319163904_fpr9300.cisco.com_FPRM.tar.gz scp://cisco@X.X.X.X
fpr9300(local-mgmt)# copy workspace:/techsupport/20180319175334_fpr9300_BC1_all.tar scp://cisco@X.X.X.X
fpr9300(local-mgmt)# copy workspace:/techsupport/Firepower-Module1_03_19_2018_17_58_17.tar scp://cisco@X.X.X.X

 

Example:

Your PC/laptop (running SCP server software) is 192.168.1.50

Run SCP server software as Administrator in Windows

Under File >> Configure… >> Users >> create a user with username: cisco password: cisco in SCP server software:

Screenshot_3.png

Click Start to set it to ‘Running’:

Screenshot_4.png

SCP the troubleshoot file from the 4100/9300 to your PC/laptop which is running SCP server software:

fpr9300(local-mgmt)# copy workspace:/techsupport/20180319163904_fpr9300.cisco.com_FPRM.tar.gz scp://cisco@192.168.1.50
cisco@192.168.1.50's password: cisco
fpr9300(local-mgmt)# copy workspace:/techsupport/20180319175334_fpr9300_BC1_all.tar scp://cisco@192.168.1.50
cisco@192.168.1.50's password: cisco
fpr9300(local-mgmt)# copy workspace:/techsupport/Firepower-Module1_03_19_2018_17_58_17.tar scp://cisco@192.168.1.50
cisco@192.168.1.50's password: cisco

pic6.png

Upload FXOS troubleshoot file(s) to your Cisco TAC case using:

https://cway.cisco.com/csc

 

Cisco TAC may ask for an ASA show tech-support file or FTD troubleshoot file to be uploaded to your case in addition to the FXOS troubleshoot file:

How to generate ASA show tech-support:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s13.html#pgfId-13...

 

How to generate FTD troubleshoot file:

https://www.cisco.com/c/en/us/support/docs/security/sourcefire-defense-center/117663-technote-Source...

 

Upload ASA show tech-support or FTD troubleshoot file to your Cisco TAC case using:

https://cway.cisco.com/csc

Troubleshoot

Ensure there is reachability from your 2100 or 4100/9300 to your PC/laptop running the SCP/FTP/SFTP/TFTP server software over ports 21 or 22, or 69 respectively:

fpr9300(local-mgmt)# ping 192.168.1.50
PING 192.168.1.50 (192.168.1.50) from X.X.X.X eth0: 56(84) bytes of data.
64 bytes from 192.168.1.50: icmp_seq=1 ttl=117 time=39.5 ms
64 bytes from 192.168.1.50: icmp_seq=2 ttl=117 time=37.5 ms
64 bytes from 192.168.1.50: icmp_seq=3 ttl=117 time=37.3 ms

Check that your 2100 or 4100/9300 has the correct management IP address, subnet, and gateway:

fpr9300(local-mgmt)# show mgmt-port

eth0 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
inet addr:192.168.1.50 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::xxxx:xxxx:xxxx:xxxx/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8179609 errors:0 dropped:0 overruns:0 frame:0
TX packets:1392314 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:818347475 (780.4 MiB) TX bytes:588519034 (561.2 MiB)

Make sure Windows Firewall is disabled on your PC/laptop so incoming SFTP/FTP (port 21 + 22) or SCP (port 22) or TFTP (port 69) are not blocked and traffic is not blocked between the PC and the 2100/4100/9300:

https://support.microsoft.com/en-us/help/4028544/windows-turn-windows-firewall-on-or-off

 

Initial setup of the FXOS chassis for management interface and other services (DNS, NTP, SSH, etc.) configuration can be found in the link below:

https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/fxos231/web-guide/b_GUI_FXOS_ConfigGui...

Related Information

All versions of the FXOS Chassis Manager and CLI configuration guides can be found here

https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/roadmap/fxos-roadmap.html#pgfId-121950

 

For all Configuration and Troubleshooting TechNotes that pertains to the Firepower technologies

https://www.cisco.com/c/en/us/support/security/defense-center/tsd-products-support-series-home.html

 

Technical Support & Documentation - Cisco Systems

82
Views
5
Helpful
0
Comments