FTD registration with FMC

  • Post author:
  • Post category:Cisco / FTD

If using the Cisco Firepower Management Center (FMC) to manage sensors such as the FTD, secure communication must be established between the FMC and the FTD. A registration key is defined on the FTD via the CLI, the device is then added within the FMC, specifying the same registration key entered on the CLI of the FTD. If successful secure connectivity between the 2 devices is established, the registration key is no longer used from this point on. This post will describe the steps to setup connectivity between the FTD and FMC, as well as some basic troubleshooting steps.

Configuration

Step 1 – Define the Manager and Registration Key on the FTD

On the CLI of the FTD enter the command configure manager add <FMC IP ADDRESS> <REG KEY>

Step 2 – Configure the Device on the FMC

  • Navigate to Devices > Device Management
  • Click Add > Add Device
  • Configure the FTD IP address, Display Name, Registration Key (the same key configured on the CLI of the FTD), select ACP and Smart Licensing options
  • Finally click the Register button

If successful, the device will be added to the FMC, ready to be configured for use.

Registration Verification

All communication to the FMC is logged in a file called messages located /ngfw/var/logs

  • From the CLI of the FTD enter expert mode
  • Enter the command sudo tail -f /ngfw/var/logs/messages

After configuring the manager via the CLI of the FTD, it will attempt communication with FMC at regular intervals. If un-successful it will wait 44 seconds and try again, as per the screenshot below as 11:23:38. When the device registration is configured on the FMC and the register button is press the FMC will attempt communication with the FTD, as seen below at 11:23:56. In this example registration with the FMC was successful, as confirmed at 11:24:57 – Established connection to sftunnel for peer 192.168.10.40

  • From the CLI of the FTD enter the command capture-traffic, when prompted select 0 to capture traffic on bri

You can also capture the registration traffic destined to the FMC. Communication to the FMC is via tcp/8305. From the screenshot below we can the FMC (192.168.10.40) initiated communication with the FTD (192.168.10.41) at 11:23:56, the TCP three-way handshake follows.

Registration Troubleshooting

If registration fails on the FMC you will need to confirm whether communication between the 2 devices was successful. If the capture-traffic command was used and did not indicate bi-directional communication, that would potentially indicate a device in the path blocking connectivity, TCP/8305 is required between the FTD and FMC, in both directions.

  • Confirm the FTD can ping the FMC (assuming icmp is permitted inbound to the FMC), enter the command ping system <FMC IP ADDRESS>
  • If connectivity is confirmed, the next place to check is the message log file, enter the command sudo tail -f /ngfw/var/logs/messages

In the screenshot below, the errors Peer 192.168.10.40 send bad hash indicates that the FMC sent the incorrect registration key, therefore registration fails.

Confirm the manager configuration

  • Enter the command show managers to confirm the correct FMC manager configuration
  • Enter the command expert to login to expert mode
  • Type sudo tail -f /etc/sf/sftunnel.conf to display the manager registration information

Ensure the same registration key defined in the output of the sftunnel.conf file is the same key defined in the FMC during the device registration phase.

Tags: , , ,