Enabling Management Port in Firepower Threat Defense

This is going to be a quick blog, but I just ran into this issue last night when converting an ASA516-X from standard ASA code, to new Firepower Threat Defense (FTD) code.  Let me first paint the picture; I was converting two ASA’s from the old to the new to use in our lab at work, the plan was to convert two of the ASA’s we had lying around and join them to our lab Firepower Management Center (FMC) server.  For those who don’t know, a FTD device uses the management port to register itself with the FMC server. If the management port isn’t working you cannot join FMC.

The first ASA went smooth, I was able to covert the firmware without issue, set the management IP and join the firewall to the FMC server; easy-peasy.  The second one however was a whole other story; I was able to covert the firmware without any issues, so it seemed like this was going to be a smooth process, however when I set the management IP I couldn’t join the FMC server.  OK, so into troubleshooting mode:

First, I checked to see if I could ping the IP from the core switch the firewall was plugged into, nope.  Next I checked the ARP table to see what MAC address the IP was getting; INCOMPLETE.  OK, so now lets check the CAM table; nothing on that port.  Finally I checked the management port on the FTD device itself:

> show interface
Interface Management1/1 "", is administratively down, line protocol is up
Hardware is en_vtun rev00, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is off
Available but not configured via nameif
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
0 packets output, 0 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 1 interface resets
0 late collisions, 0 deferred
500 input reset drops, 0 output reset drops
input queue (blocks free curr/low): hardware (0/0)
output queue (blocks free curr/low): hardware (0/0)

OK, found the problem.  Management port was in “admin down” state, I’ve ran into this issue 1000 times on routers and switches and its an easy fix; just enable the port using the “no shutdown” command.  Well it turns out to not be that easy on FTD.  After an hour of searching the command reference for the command to enable the port, I realized that there isn’t a command to enable the management port.  After another 20 minutes of research I then stumbled across my saving grace in the form of the packet thrower blog:

Turns out I was having the same problem they had, which was the confreg was set to ignore system configuration.  I had to reboot the FTD firewall into rommon mode and change the confreg before the management port would become enabled.  Here is the output from rommon:

> reboot
This command will reboot the system. Continue?
Please enter 'YES' or 'NO': yes
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Boot interrupted.
rommon 1 > confreg
Configuration Register: 0x00000041
Configuration Summary
[ 0 ] password recovery
[ 1 ] display break prompt
[ 2 ] ignore system configuration
[ 3 ] auto-boot image in disks
[ 4 ] console baud: 9600
boot: ...... auto-boot index 1 image in disks
do you wish to change the configuration? y/n [n]: y
disable "password recovery"? y/n [n]: y
disable "display break prompt"? y/n [n]:
disable "ignore system configuration"? y/n [n]: y
disable "auto-boot image in disks"? y/n [n]:
change console baud rate? y/n [n]:
select specific image in disks to boot? y/n [n]:
Configuration Register: 0x01000001
Configuration Summary
[ 0 ] display break prompt
[ 1 ] auto-boot image in disks
[ 2 ] console baud: 9600
boot: ...... auto-boot index 1 image in disks
do you wish to change the configuration? y/n [n]:
You must reset or power cycle for new config to take effect
rommon 3 > reset
Resetting .......

Once the firewall rebooted back into FTD the management port showed up and I was able to ping the IP, and most importantly join the FTD firewall to FMC.  Hopefully, if you are reading this because you’re stuck in the same issue, you didn’t just waste an extra hour and a half like I did.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s