Symptom
- When trying to add a new FTD to the FMC, using a management IP address previously used on an already registered FTD, the registration of the new FTD will fail.
Conditions
- Virtual FMC version 7.2.0
- Registered FTD version 7.1.0
Workaround
at 7.2.0 edit /var/sf/peers/DEVICE_UUID/sftunnel.json and restart sftunnel (pmtool restartbyid sftunnel)
at 7.2.4 restart sftunnel.
Don't forget to change device name and use a different from host/ip value name all the time.
Further Problem Description
- After changing the management IP address of a registered FTD, the FMC does not update the new IP address correctly, causing that the old management IP address of the FTD cannot be re-used.
- When trying to add a new FTD using the old IP of the already registered FTD, the registration fails.
- In the FMC messages file, we can see some logs saying that the FMC already have a peer with the name of the old IP:
Dec 15 16:15:54 firepower SF-IMS[17526]: [17526] sftunneld:CHECK_PEERS [WARN] Didn't process Peer config /var/sf/peers_pending/192.168.3.32/sftunnel.json
Dec 15 16:15:56 firepower SF-IMS[17526]: [17526] sftunneld:CHECK_PEERS [INFO] Found Pending Peer config /var/sf/peers_pending/192.168.3.32/sftunnel.json
Dec 15 16:15:56 firepower SF-IMS[17526]: [17526] sftunneld:sf_peers [WARN] Already have a peer with name :192.168.3.32
- In the sftunnel_status.pl output of the FMC, we can still see the old management IP of the FTD:
.
.
.
**RUN STATUS****FTD71_33*************
Cipher used = TLS_AES_256_GCM_SHA384 (strength:256 bits)
ChannelA Connected: Yes, Interface eth0
Cipher used = TLS_AES_256_GCM_SHA384 (strength:256 bits)
ChannelB Connected: Yes, Interface eth0
Registration: Completed.
IPv4 Connection to peer '192.168.3.32' Start Time: Thu Dec 15 20:36:42 2022 UTC
.
.
.
