I had to convert a Cisco ASA 5506 to FTD the other day and baffled because no matter what I did the management interface was admin down / down. This is a problem in FTD since you can’t simply type a no shut and you can’t join it to a FMC without the management interface.
It looked like this from the CLI, if you haven’t seen system support diagnostic-cli before, it gives you the classic ASA CLI back for operational commands.
> system support diagnostic-cli Attaching to Diagnostic CLI ... Press 'Ctrl+a then d' to detach. Type help or '?' for a list of available commands. firepower> firepower> en Password: firepower# firepower# sh int ip br Interface IP-Address OK? Method Status Protocol Virtual0 127.1.0.1 YES unset up up GigabitEthernet1/1 unassigned YES unset administratively down down GigabitEthernet1/2 unassigned YES unset administratively down down GigabitEthernet1/3 unassigned YES unset administratively down down GigabitEthernet1/4 unassigned YES unset administratively down down GigabitEthernet1/5 unassigned YES unset administratively down down GigabitEthernet1/6 unassigned YES unset administratively down down GigabitEthernet1/7 unassigned YES unset administratively down down GigabitEthernet1/8 unassigned YES unset administratively down down Internal-Control1/1 127.0.1.1 YES unset up up Internal-Data1/1 unassigned YES unset down up Internal-Data1/2 unassigned YES unset down down Internal-Data1/3 unassigned YES unset up up Internal-Data1/4 169.254.1.1 YES unset up up Management1/1 unassigned YES unset administratively down up
How did I fix it? Voodoo? Smash a PIX in front of it so the misbehaving ASA knows my power? Actually the issue is the config-register has been modified on this box and FTD doesn’t like it.
We can fix it by booting into rommon, then we need to use confreg to make sure it is set to 0x00000001, apparently at some point “ignore system configuration” was enabled in my case.
> reboot This command will reboot the system. Continue? Please enter 'YES' or 'NO': yes Broadcast messagStopping Cisco ASA5506-X Threat Defense......ok Shutting down sfifd... [ OK ] Clearing static routes Unconfiguring default route [ OK ] Unconfiguring address on br1 [ OK ] Unconfiguring IPv6 [ OK ] Downing interface [ OK ] Stopping xinetd: Stopping nscd... [ OK ] Stopping system log daemon... [ OK ] Stopping Threat Defense ... Stopping system message bus: dbus. [ OK ] Un-mounting disk partitions ... mdadm: stopped /dev/md0 Stopping OpenBSD Secure Shell server: sshdstopped /usr/sbin/sshd (pid 3988) . Stopping Advanced Configuration and Power Interface daemon: stopped /usr/sbin/acpid (pid 3992) acpid: exiting acpid. Stopping system message bus: dbus. Deconfiguring network interfaces... ifdown: interface br1 not configured done. Sending all processes the TERM signal... Sending all processes the KILL signal... Deactivating swap... Unmounting local filesystems... Rebooting... Rom image verified correctly Cisco Systems ROMMON, Version 1.1.8, RELEASE SOFTWARE Copyright (c) 1994-2015 by Cisco Systems, Inc. Compiled Thu 06/18/2015 12:15:56.43 by builders Current image running: Boot ROM0 Last reset cause: PowerCycleRequest DIMM Slot 0 : Present Platform ASA5506 with 4096 Mbytes of main memory MAC Address: 38:0e:4d:3d:97:a9 Use BREAK or ESC to interrupt boot. Use SPACE to begin boot immediately. Boot interrupted. rommon 1 > confreg Configuration Register: 0x00000041 Configuration Summary [ 0 ] password recovery [ 1 ] display break prompt [ 2 ] ignore system configuration [ 3 ] auto-boot image in disks [ 4 ] console baud: 9600 boot: ...... auto-boot index 1 image in disks do you wish to change the configuration? y/n [n]: y disable "password recovery"? y/n [n]: y disable "display break prompt"? y/n [n]: disable "ignore system configuration"? y/n [y]: disable "auto-boot image in disks"? y/n [n]: change console baud rate? y/n [n]: select specific image in disks to boot? y/n [n]: Configuration Register: 0x00000001 Configuration Summary [ 0 ] password recovery [ 1 ] display break prompt [ 2 ] auto-boot image in disks [ 3 ] console baud: 9600 boot: ...... auto-boot index 1 image in disks do you wish to change the configuration? y/n [n]: You must reset or power cycle for new config to take effect rommon 2 > reset Resetting .......
Once the FTD came back up the management interface was happy.
Thanks for your post. Are we talking about an 2100 FTD box?