Runt Frame – Firepower Quick Tip – Management Interface & SNMP/Syslog
Runt frames are going to be some quick tips that I run into in my day to day life as a network engineer.
So, lets say that your preparing to migrate your firewalls to some shiny new ASAs or Firepowers running FTD mode, even though the Internet has tried to warn you off… (Reddit – Firepower Rant Part 1 & Reddit – Firepower Rant Part 2)
As part of your initial setup, you start to configure SNMP & Syslog, but to your horror you find that the system does not allow you to source the traffic from the management interface! It wants you to use a standard data interface, but you can’t activate any of those until you’re ready to complete the migration!
There is a workaround. But it’s not the cleanest.
You can use the “diagnostic” interface. This is a logical interface that shares the the physical management interface (at least on the ASA 5500-Xs). So put an IP address on the diagnostic interface (must be the same subnet used on the management interface), and then manually add the diagnostic interface to the SNMP settings under Platform Settings in FMC.
“But Justin,” you say, “It still doesn’t work!”
Yep. I ran into that myself. The diagnostic interface doesn’t utilize the default gateway that is configured on the management interface. You have to manually add routes for traffic from the diagnostic interface to your SNMP management stations. You can repeat this process if you want to do the same for Syslog traffic.
References
- https://www.cisco.com/c/en/us/support/docs/security/firepower-2100-series/213519-configure-fdm-firepower-device-manageme.html
- https://community.cisco.com/t5/firepower/snmp-to-the-ftd-managment-interface/td-p/3049834