new FTD- cant access web gui page

walter baziuk · ‎03-03-2018

i have migrated my ASA 5506x from SFC to AS with FTD

I have a working FMC and it can see the new asa with FTD.

I can ping the FTD

the FMC can update rules on the FTD

the FMC see and shows the asa with FTD

i have TMC licnese on the FTD

i can SSL into the asa FTD and access both the asa side and the FTD side with CLI

i have nazmul rajib, FTD book.from cisco press

i CANT access the FTD gui

please advise how i can get access

Karsten Iwen · ‎03-03-2018

If you manage FTD with a Firepower Management Center, you don't have a local GUI on the BOX. It's only one or the other, local GUI or FMC.

walter baziuk · ‎03-03-2018

The book and my se says that

the FTD gui is working the config is done
the FMC is where monitoring is done

i see nowhere in FMC where i can config the device like the old ASDm ( depreciated Java app) similar detailed config

as well the CLI is MUCH different that the older asa/SFR combo

so how does one do the config?

i also have a TAC case as the conversion FMC vm is VERY BUGGY and tac has to hand convert your old asa/sfr CLI

Marvin Rhoads · ‎03-05-2018

Your SE in incorrect and you may be mis-reading the book.

What Karsten said is correct - enabling a remote manager (FMC) on an ASA with FTD disables the local Firepower Device Manager. All configuration (except for a few bootstrapping things like configuring the IP address and remote manager) is done via FMC.

If you were running a Firepower appliance (2100, 4100 or 9300 series) you would have the Firepower Chassis Manager GUI but you would still configure Firepower services via FMC.

averill.johnson1 · ‎05-22-2019

Okay so if I understand correctly, if you have an FMC that you can access you won't be able to access the actual module GUI (DC ip). I can get to the webpage but when I attempt to login all I get is "Unable to authorize access. If problem persists please contact your systems administrator." I know we aren't using RADIUS (ISE) with this device and as near as I can tell (show users) there aren't any other users configured outside of the admin that are enabled. I understand authorization profiles as I setup ISE and it's authenticating in other physical areas on devices I setup. This is not one of those devices and it's not tied to anything else. I can login to the ASA no problem and not the FMC with no issues (using admin). I assumed the FMC and the module had the same creds....

Marvin Rhoads · ‎05-22-2019

"DC IP" refers to Defense Center (old name for Firepower Management Center) IP address. We see that in ASDM when the Firepower module in the ASA is managed by FMC.

Once a Firepower service module is FMC-managed there is no local GUI (e.g. ASDM) access.

The same applies for a Firepower 2110 running FTD - both Firepower Chassis Manager (FCM) and Firepower Device Manager (FDM) GUIs are no longer available when the device is FMC-managed.

In any case the cli credentials for a module or FTD device and the managing FMC are completely separate. Both have a built-in admin user but the local password is created separately on each and there's no credential synchronization.

averill.johnson1 · ‎05-22-2019

Thanks for shedding some light on that. On my 5512X I can connect to the sfr console, which I thought was the cli of the Firepower web gui. Is my only option to reinstall since I can't get into the Firepower web gui? I can see a basic status of the Firepower from ASDM but can't modify the access policies that are on the module.

Marvin Rhoads · ‎05-22-2019

On the module console, what does "show managers" tell you?

averill.johnson1 · ‎05-23-2019

Type: Manager
Host: IP Addr
Registration: Completed

Marvin Rhoads · ‎05-23-2019

That output indicates that the device is registered to a Firepower Management Center (FMC).

You can thus only view and modify policies from the FMC indicated in the IP address of the output.