Solved: FMC communication ports & deployment error.

adamgibs7 · ‎06-20-2018

Dears,

Please find the attached,

In the communication ports list what is the host input client refers as a bidirectional traffic to FMC, actually what is host input client ??? and what does bidirectional means ??? what I understand by bidirectional is traffic initiated by host to the FMC on port 8307 and the return traffic should come back from FMC Please correct me if I m wrong ????

OR IT MEANS

Bidirectional means that both the host input client and FMC can initiate a traffic on destination port 8307.

Also I would like to know the inbound is referred as destined traffic to FMC and outbound is referred as destined traffic to the remote host ( ldap, radius server etc etc ), Please correct me if I m wrong.

Also please find the attached error when I deploy the configuration to the Firepower.

Thanks

yogdhanu · ‎06-23-2018

Hi

Its possible that 1 of the SFR does not have correct interface zone mapping. Please be aware that FMC treats both sfr as individual device. So the interface zone mapping has to be done manually on both.

Once that's done, than you should not get error.

Not sure about identity policy question.

Thanks

Yogesh

View solution in original post

yogdhanu · ‎06-20-2018

Hi

The communication between FMC and its managed sensor is on TCP port 8305 and not on 8307.

Its should be open bidirectional which means sensor/FTD can initiate connection on 8305 to FMC and vice versa.

8307 is not needed for policy deployment. You can get more details from this link about host input client.

https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/host_identity_sources.html?bookSearch=true#ID-2219-000004f9

https://www.cisco.com/c/en/us/td/docs/security/firepower/60/api/host-input/HostInputAPIGuide/Configuring-HostInputClient.html

The other alert/warning means that you have included in your rules zones which match interfaces to different device other than the one on which you are deploying so that specific rule will not match because the interface does not exist on that device.

You can still proceed with deployment though.

Rate it helps,

Yogesh

adamgibs7 · ‎06-22-2018

Dear Yogdhanu,

The other alert/warning means that you have included in your rules zones which match interfaces to different device other than the one on which you are deploying so that specific  rule will not match because  the interface does not exist on that device.

so what I understand is the secondary SFR device which is shown in the screenshot have those interfaces and the primary sfr doesn't have, this is what the deployment error is mentioning ???

My firewall 5525-X is in failover mode and working perfect for failover, so this means that all the interfaces are sync and also the sensor are in device group, so whenever the deployment happens it applies to both, but still I get the error why???

Is it some think that identity policy is not created properly ?? Please find the attached identity policy

Thanks

yogdhanu · ‎06-23-2018

Hi

Its possible that 1 of the SFR does not have correct interface zone mapping. Please be aware that FMC treats both sfr as individual device. So the interface zone mapping has to be done manually on both.

Once that's done, than you should not get error.

Not sure about identity policy question.

Thanks

Yogesh

adamgibs7 · ‎06-24-2018

thanks for the hints and suggestions

mssgrocsupport · ‎09-24-2018

Hi Just wanted to trigger this thread with a doubt.Using here an ASA w/ FP services

We are unable to deploy policy on the sensor getting error message -

Deployment failed due to configuration error. If problem persists after retrying contact Cisco TAC.

I am getting this is due to devices being in disabled state under device management, if yes how to enable them.

Also have an alarm under health for missing appliance heartbeats.

Do provide your insights. Thanks.