Cisco – Cannot Connect to the ASA FirePOWER Module

KB ID 0001182

Problem

There’s an alarming amount of people who have contacted me about this error;

Cannot connect the the ASA FirePOWER module.
Cannot connect the the ASA FirePOWER module.. Check that it is correctly configured and on the network. It’s also possible that the management address is being translated by NAT.
Please verify the IP address/Hostname and port.

Note: If you have just updated or re-imaged the SFR module, see this article

Solution

You see this error when YOU attempt to connect to the ASDM, it does NOT mean the firewall cannot see the FirePOWER module. So look at the IP address it’s telling you that it can’t see, in the example above thats 10.254.254.253  can YOU ping that address from YOUR location?

You will see this error if the FirePOWER module is incorrectly cabled or not plugged into the same network as the inside/LAN of the parent firewall. Or if the management port is misconfigured, see the following article; (yes even if you are using FMC).

ASA 5505-X / 5508-X Setup FirePOWER Services (for ASDM)

You will also see this error if you are on your corporate LAN and the FirePOWER module does not have route to get to you. See the following article;

Cisco FirePOWER – Adding a Static Route

You will also see this error if you are connected to the ASDM from the firewall’s PUBLIC ip address. To avoid this error, and to manage the SFR externally you would need to have done the following;

  • Connect to firewall via a VPN (which has access to the network segment that the inside, and management interfaces are on).
  • Have ‘management-access’ enabled on the inside interface.
  • Allowed https/ASDM access from the VPN subnet, and opened the ASDM from the firewalls INSIDE IP.

Follow the solutions in the following article;

Cannot Manage ASA via AnyConnect VPN

Related Articles, References, Credits, or External Links

NA

Cisco FirePOWER – Adding a Static Route

KB ID 0001172

Problem

Routing traffic back from the ASA , in most cases you will have a static route (or routes) tied to the inside interface of the firewall. Or you may have dynamic routing if your network is a little more complex. But your FirePOWER module is essentially a small Linux box sat inside the firewall, it has its own network connection and maintains its own routing table.

You may have already noticed if your FirePOWER module is down or unreachable you will see an error like this;

Cannot connect to the ASA ForePOWER module

This means you can talk to the insider interface but not the FirePOWER module. If it’s misconfigured see the following article;

ASA 5505-X / 5508-X Setup FirePOWER Services (for ASDM)

But what if you’re on a different network segment, and the ASA can talk to you but the SFR module can’t?

Solution

Adding a Static Route to the SFR Module

To put a static route on the SFR module you have to connect to it directly. Connect the firewall and then open a session with the module.

[box]

Petes-ASA(config)# session sfr
Opening command session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.
Cisco ASA5506 v5.4.1 (build 211)

Sourcefire3D login: admin

Password: {your-password}

Copyright 2004-2015, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.

>

[/box]

You need to find what the SFR has called its management interface, usually it’s eth0 but let’s check;

[box]

>Show interfaces
--------------------[ outside ]---------------------
Physical Interface        : GigabitEthernet1/1
Type                      : ASA
Security Zone             : None
Status                    : Enabled
Load Balancing Mode       : N/A
---------------------[ inside ]---------------------
Physical Interface        : GigabitEthernet1/2
Type                      : ASA
Security Zone             : None
Status                    : Enabled
Load Balancing Mode       : N/A
----------------------[ DMZ ]-----------------------
Physical Interface        : GigabitEthernet1/3
Type                      : ASA
Security Zone             : None
Status                    : Enabled
Load Balancing Mode       : N/A
---------------------[ cplane ]---------------------
IPv4 Address              : 127.0.2.1
----------------------[ eth0 ]----------------------
Physical Interface        : eth0
Type                      : Management
Status                    : Enabled
MDI/MDIX                  : Auto
MTU                       : 1500
MAC Address               : 00:F2:AA:66:94:3F
IPv4 Address              : 10.0.0.253
----------------------[ tun1 ]----------------------
IPv6 Address              : fdcc::bd:0:ffff:a9fe:1/64
---------------------[ tunl0 ]----------------------
----------------------------------------------------

[/box]

Now you can ad in your static route(s).

[box]

> configure network static-routes ipv4 add eth0 192.168.100.0 255.255.255.0 10.0.0.1
Configuration updated successfully

[/box]

To delete a static route;

configure network static-routes ipv4 delete interface destination netmask gateway 

Add a Static Route to the FirePOWER Management Console

To do the same on an FMC appliance, System > Configuration > Management Interface > IPv4 Routes > Add.

To do the same from command line on the appliance, use the following commands;

[box]

sudo su
cd /etc/sysconfig/network-devices
touch ifcfg-static-routes
echo 'eth0 ipv4 192.168.10.0 255.255.255.0 192.168.1.1’ >> /etc/sysconfig/network-devices/ifcfg-static-routes
/etc/rc.d/init.d/routes restart

[/box]

Related Articles, References, Credits, or External Links

NA