Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
The local routing table of the Firepower Management Center (FMC, Secure Firewall Management Center) with multiple interfaces may be ignored for sftunnel connection initiated from the FMC to managed devices such as the Firepower Threat Defense (FTD, Secure Firewall). Specifically, in the case of 2 or more interfaces on FMC, it uses interface eth0 even if there is a preferred specific route via other interfaces. The routing table configuration can be verified as follows: - On user interface in Configuration > Management Interfaces > Interfaces > [interface] > Channels > Management Traffic IPv4 Routes. - On the command line interface (CLI) in expert mode, using the ip route show or the ip route get a.b.c.d commands. In this example, the FMC has 2 interfaces, eth0, and eth1. The routing table has a specific static route to the FTD management network via interface eth1. > expert admin@fmc:~$ ip route show default via 192.0.2.1 dev eth0 <---- Default route via eth0 192.0.2.0/25 dev eth1 proto kernel scope link src 192.0.2.100 <-------FMC eth0 IP 192.0.2.128/25 dev eth0 proto kernel scope link src 192.0.2.200 <-------FMC eth1 IP 198.51.100.0/24 via 192.0.2.254 dev eth1 <------ Specific route to FTD via eth1 admin@fmc:~$ ip route get 198.51.100.100 198.51.100.100 via 192.0.2.254 dev eth1 src 192.0.2.200 uid 0 <----- Routing table lookup result cache Even though the FTD management network is reachable via interface eth1, the FMC establishes sftunnel connection to FTD via eth0. On the FMC CLI sftunnel connections can be verified in the output of the sftunnel_status.pl a.b.c.d command in expert mode, where a.b.c.d is the FTD management IP address: > expert admin@fmc:~$ sudo su root@fmc:/Volume/home/admin# sftunnel_status.pl 198.51.100.100 <---- FTD management IP Check peer 198.51.100.100 at /usr/local/sf/bin/sftunnel_status.pl line 39. ... PEER INFO: sw_version 7.0.1 sw_build 84 Management Interfaces: 2 management0 (control events) 198.51.100.100, <---- FTD management IP tap_nlp (control events) 169.254.1.3,fd00:0:0:1::3 Peer channel Channel-A is valid type (CONTROL), using 'eth0', connected to '198.51.100.100' via '192.0.2.100' <---- FMC eth0 to FTD management Peer channel Channel-B is valid type (EVENT), using 'eth0', connected to '198.51.100.100' via '192.0.2.100' <---- FMC eth0 to FTD management ... On the FTD CLI the management connection can be verified in the output of the sftunnel-status-brief command: > sftunnel-status-brief PEER:192.0.2.100 Peer channel Channel-A is valid type (CONTROL), using 'managemen', connected to '192.0.2.100 ' via '198.51.100.100' <---- FMC eth0 to FTD management Peer channel Channel-B is valid type (EVENT), using 'managemen', connected to '192.0.2.100 ' via '198.51.100.100' <---- FMC eth0 to FTD management Registration: Completed. IPv4 Connection to peer 'dfb46cca-18e6-11ed-b077-396a281523b0DONTRESOLVE' Start Time: Wed Aug 10 19:59:42 2022 UTC Heartbeat Send Time: Wed Aug 10 20:35:34 2022 UTC Heartbeat Received Time: Wed Aug 10 20:36:49 2022 UTC Last disconnect time : Wed Aug 10 19:58:33 2022 UTC Last disconnect reason : Both control and event channel connections with peer went down
All conditions must match: 1. FMC has more than 1 network interface with active control and event management channels. 2. FMC has a preferred route to the FTD management network via any interface other than eth0, e.g. a preferred specific static route via interface eth1. 3. The manager on the FTD is configured with the DONTRESOLVE keyword: > configure manager add DONTRESOLVE cisco cisco
Block connection between the FMC interface eth0 IP address and the FTD management interface IP and vice versa. FMC eventually establishes sftunnel connection in accordance with the routing table.
Sftunnel is the secure management connection between the FMC and managed devices.