Introduction
A FirePOWER module that is installed on ASA can be managed by either:
- Firepower Management Center (FMC) – This is the off-box management solution
- Adaptive Security Device Manager (ADSM) – This is the on-box management solution
The goal of this document is to explain how ASDM software communicates with the ASA and a FirePOWER software module installed on it.
Components used
- A Windows 7 host
- ASA5525-X running ASA 9.6.2-3 code
- ASDM software 7.6.2.150
- FirePOWER software module 6.1.0-330
Prerequisites
ASA configuration to enable ASDM management:
ASA5525(config)# interface GigabitEthernet0/0 ASA5525(config-if)# nameif INSIDE ASA5525(config-if)# security-level 100 ASA5525(config-if)# ip address 192.168.75.23 255.255.255.0 ASA5525(config-if)# no shutdown ASA5525(config)# ASA5525(config)# http server enable ASA5525(config)# http 192.168.75.0 255.255.255.0 INSIDE ASA5525(config)# asdm image disk0:/asdm-762150.bin ASA5525(config)# ASA5525(config)# aaa authentication http console LOCAL ASA5525(config)# username cisco password cisco
Additionally, on ASA the 3DES/AES license should be enabled:
ASA5525# show version | in 3DES Encryption-3DES-AES : Enabled perpetual
Architecture
The ASA has 3 internal interfaces:
- asa_dataplane = It is used to redirect packets from the ASA Data Path to the FirePOWER software module
- asa_mgmt_plane = It is used to allow the FirePOWER management interface to communicate with the network
- cplane = Control Plane interface that is used to transfer keepalives between the ASA and the FirePOWER module
You can capture traffic in all internal interfaces:
ASA5525# capture CAP interface ?
asa_dataplane Capture packets on dataplane interface
asa_mgmt_plane Capture packets on managementplane interface
cplane Capture packets on controlplane interface
The above can be visualized as follows:
Background operation when a user connects to ASA via ASDM
Consider the following topology
When a user initiates an ASDM connection to the ASA the following events will occur:
Step 1 – The user initiates the ASDM connection
The user specifies the ASA IP used for HTTP management, enters the credentials and initiates a connection towards the ASA:
In the background an SSL tunnel between the ASDM and the ASA is established:
This can be visualized as follows:
Step 2 – The ASDM discovers the ASA configuration and the FirePOWER module IP
Enabling debug http 255 on ASA will show all the checks that are done in the background when the ASDM connects to the ASA:
ASA5525# debug http 255 … HTTP: processing ASDM request [/admin/exec/show+module] with cookie-based authentication HTTP: processing GET URL '/admin/exec/show+module' from host 192.168.75.22 HTTP: processing ASDM request [/admin/exec/show+cluster+interface-mode] with cookie-based authentication HTTP: processing GET URL '/admin/exec/show+cluster+interface-mode' from host 192.168.75.22 HTTP: processing ASDM request [/admin/exec/show+cluster+info] with cookie-based authentication HTTP: processing GET URL '/admin/exec/show+cluster+info' from host 192.168.75.22 HTTP: processing ASDM request [/admin/exec/show+module+sfr+details] with cookie-based authentication HTTP: processing GET URL '/admin/exec/show+module+sfr+details' from host 192.168.75.22
- show module = The ASDM discovers the ASA modules
- show module sfr details = The ASDM discovers the module details including the FirePOWER management IP
The above will be seen in the background as a series of SSL connections from the PC towards the ASA IP:
Step 3 – The ASDM initiates communication towards the FirePOWER module
Since the ASDM knows the FirePOWER management IP it initiates SSL sessions towards the module:
The above will be seen in the background as SSL connections from the ASDM host towards the FirePOWER management IP:
This can be visualized as follows:
The ASDM authenticates the FirePOWER and a Security Warning is shown since FirePOWER Certificate is self-signed:
Step 4 – The ASDM retrieves the FirePOWER Menu Items
After the successful authentication the ASDM retrieves from the FirePOWER the Menu Items:
The retrieved tabs:
It also retrieves the ASA FirePOWER Configuration Menu Item:
Troubleshooting
In case ASDM cannot establish an SSL tunnel with the FP Management IP then it will only load the following FirePOWER Menu Item:
The ASA FirePOWER Configuration Item will be missing as well:
Recommended actions
Verification 1
Make sure that the ASA management interface is UP and the switchport connected to it is in the proper VLAN:
ASA5525# show interface ip brief | include Interface|Management0/0 Interface IP-Address OK? Method Status Protocol Management0/0 unassigned YES unset up up
Verification 2
Make sure that the FirePOWER module is fully initialized, UP and running:
ASA5525# show module sfr details Getting details from the Service Module, please wait... Card Type: FirePOWER Services Software Module Model: ASA5525 Hardware version: N/A Serial Number: FCH1719J54R Firmware version: N/A Software version: 6.1.0-330 MAC Address Range: 6c41.6aa1.2bf2 to 6c41.6aa1.2bf2 App. name: ASA FirePOWER App. Status: Up App. Status Desc: Normal Operation App. version: 6.1.0-330 Data Plane Status: Up Console session: Ready Status: Up DC addr: No DC Configured Mgmt IP addr: 192.168.75.123 Mgmt Network mask: 255.255.255.0 Mgmt Gateway: 192.168.75.23 Mgmt web ports: 443 Mgmt TLS enabled: true
A5525# session sfr console Opening console session with module sfr. Connected to module sfr. Escape character sequence is 'CTRL-^X'. > show version --------------------[ FP5525-3 ]-------------------- Model : ASA5525 (72) Version 6.1.0 (Build 330) UUID : 71fd1be4-7641-11e6-87e4-d6ca846264e3 Rules update version : 2016-03-28-001-vrt VDB version : 270 ---------------------------------------------------- >
Verification 3
Check basic connectivity between the ASDM host and the FirePOWER module management IP by using tools like ping and tracert/traceroute:
Verification 4
If the ASDM host and the FirePOWER management IP are in the same L3 network check the ARP table on the ASDM host:
Verification 5
Enable capture on the ASDM device while you are connecting via ASDM to see if there is proper TCP communication between the host and the FirePOWER module. At minimum you should see:
- TCP 3-way handshake between the ASDM host and the ASA
- SSL tunnel established between the ASDM host and the ASA
- TCP 3-way handshake between the ASDM host and the FirePOWER module management IP
- SSL tunnel established between the ASDM host and the FirePOWER module management IP
Verification 6
To check the traffic to and from the FirePOWER module you can enable capture on the asa_mgmt_plane interface. In the capture below it can be seen:
- ARP request from the ASDM host (packet 42)
- ARP reply from the FirePOWER module (packet 43)
- TCP 3-way handshake between the ASDM host and the FirePOWER module (packets 44-46)
ASA5525# capture FP_MGMT interface asa_mgmt_plane ASA5525# show capture FP_MGMT | i 192.168.75.123 … 42: 20:27:28.532076 arp who-has 192.168.75.123 tell 192.168.75.22 43: 20:27:28.532153 arp reply 192.168.75.123 is-at 6c:41:6a:a1:2b:f2 44: 20:27:28.532473 192.168.75.22.48391 > 192.168.75.123.443: S 2861923942:2861923942(0) win 8192 <mss 1260,nop,wscale 2,nop,nop,sackOK> 45: 20:27:28.532549 192.168.75.123.443 > 192.168.75.22.48391: S 1324352332:1324352332(0) ack 2861923943 win 14600 <mss 1460,nop,nop,sackOK,nop,wscale 7> 46: 20:27:28.532839 192.168.75.22.48391 > 192.168.75.123.443: . ack 1324352333 win 16695
Verification 7
Verify that the ASDM user has privilege level 15. One way to confirm this is by running debug http 255 while connecting via ASDM:
ASA5525# debug http 255 debug http enabled at level 255. HTTP: processing ASDM request [/admin/asdm_banner] with cookie-based authentication (aware_webvpn_conf.re2c:444) HTTP: check admin session. Cookie index [2][c8a06c50] HTTP: Admin session cookie [A27614B@20480@78CF@58989AACB80CE5159544A1B3EE62661F99D475DC] HTTP: Admin session idle-timeout reset HTTP: admin session verified = [1] HTTP: username = [user1], privilege = [14]
Verification 8
If between the ASDM host and the FirePOWER module there is NAT for the Firepower Management IP then you need to specify the NATed IP:
Verification 9
Make sure that the FirePOWER module is not already managed by Firepower Management Center (FMC) because in that case the FirePOWER tabs in ASDM will be missing:
ASA5525# session sfr console Opening console session with module sfr. Connected to module sfr. Escape character sequence is 'CTRL-^X'. > show managers Managed locally. >
Another way:
ASA5525# show module sfr details Getting details from the Service Module, please wait... Card Type: FirePOWER Services Software Module Model: ASA5525 Hardware version: N/A Serial Number: FCH1719J54R Firmware version: N/A Software version: 6.1.0-330 MAC Address Range: 6c41.6aa1.2bf2 to 6c41.6aa1.2bf2 App. name: ASA FirePOWER App. Status: Up App. Status Desc: Normal Operation App. version: 6.1.0-330 Data Plane Status: Up Console session: Ready Status: Up DC addr: No DC Configured Mgmt IP addr: 192.168.75.123 Mgmt Network mask: 255.255.255.0 Mgmt Gateway: 192.168.75.23 Mgmt web ports: 443 Mgmt TLS enabled: true
Verification 10
Verify in the ASA Compatibility guide that the ASA/ASDM images are compatible:
Verification 11
Verify in the Firepower Compatibility guide that the FirePOWER device is compatible with the ASDM version:
No comments:
Post a Comment