Clarify Inline Set Order for FTD on FMC

Introduction

This document describes why the interface order for inline sets is different even if the interface naming convention is the equal for all sets.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

• Secure Firewall Threat Defense (FTD)
• Secure Firewall Management Center (FMC)
• Secure Firewall Extensible Operating System (FXOS)
• REST-API

Components Used

The information in this document is based on these software and hardware versions:

• Secure Firewall Threat Defense version 7.2.5.1
• Secure Firewall Manager Center version 7.2.5.1
• Secure Firewall Extensible Operating System 2.12(1.48)
• Secure Firewall Chassis Manager (FCM)

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

Analysis

Case Example

For this case example, a FTD with six (6) interfaces is set up in inline pairs:

Ethernet1/1 (Inside-A)
Ethernet1/2 (Outside-A)
Ethernet1/3 (Inside-B)
Ethernet1/4 (Outside-B)
Ethernet1/5 (Inside-C)
Ethernet1/6 (Outside-C)

FTD Interface List

The Inline sets are planned to be configured from Inside to Outside for each pair, which results in the next set up:

Inline Set A: Inside-A <-> Outside-A
Inline Set B: Inside-B <-> Outside-B
Inline Set C: Inside-C <-> Outside-C

Users expect that the order of the interfaces is displayed in alphabetic order by the interface logical name or the interface physical name. However, this set up results in a different order as displayed in the next image:

FTD Inline Sets

Users notice that the Inline set C has a different order from the other two inline sets.

Note: It is important to note that Inline Set Interface Pair order does not cause any communication or operational problem, however, it can be concerning for aesthetic purposes.

Explanation

Inline sets interface order is not assigned by name but by ID, which is verified via REST-API.

Step 1. To verify this, FMC REST-API explorer needs to be accessed. This is achieved by accessing the next URL syntax:

https://FMC  IP/api/api-explorer

FMC REST-API Explorer

Step 2. Navigate to Devices and expand the menu.

Devices Menu

Step 3. Navigate to the GET option for:

​/api​/fmc_config​/v1​/domain​/{domainUUID}​/devices​/devicerecords​/{containerUUID}​/inlinesets

Inline Sets GET Option

Step 4. Click on Try it Out button.

Inline Set GET Try it Out Button

Step 5. Replace the containerUUID field with the FTD UUID (this is displayed by the show version command on the FTD command line) and click on Execute.

Inline Sets Execution

Step 6. Scroll down to the Response Body and copy the ID of the interface that is required to troubleshoot, in this case it is Inline Set C.

"id": "005056B3-BB52-0ed3-0000-021474837838",

Inline Sets GET Response Body

Step 7. Navigate to the GET option for:

/api/fmc_config/v1/domain/{domainUUID}/devices/devicerecords/{containerUUID}/inlinesets/{objectId}

Inline Sets GET Object ID

Step 8. Click on Try it Out button.

Inline Sets GET Object ID Try it Out

Step 9. Replace the objectId field with the ID taken in Step 6 and the containerUUID with the FTD UUID used on Step 5. After that, click on the Execute button.

Inline Sets GET Object ID Execution

Step 10. Validate the Response body of the REST-API query.

Inline Sets GET Object ID Response Body

Interface Ethernet1/6 is added as the first component of the inline set, while Ethernet1/5 is added as the second component. This happens due to the assigned interface ID for Ethernet1/6 is alphabetically lower that Ethernet1/5. This validates the logic that the FMC is taking for interface assignment on inline sets.

Workaround

The interface ID is assigned by FXOS at the moment of the logical device creation, so the interfaces needs to be removed at FXOS level and read in the desired order for the ID to be assigned again.

Warning: The next workaround is applicable only for FPR4100 and FPR9300 series, any other Secure Firewall hardware needs to be reimaged. Also, this workaround is disrupts traffic, in this sense, FMC, FTD and FXOS backups are strongly recommended as well as a planned maintenance window.

Step 1. Log into the FMC and delete the problematic inline set on the next path:

Devices > Device Management > Edit the desired FTD > Inline Sets.

Inline Set Deletion

Step 2. Save changes and deploy.

Inline Set Deletion Deployment

Step 3. Log into the device FCM and navigate to Logical Devices and edit the desired Logical Device.

Logical Device Edit

Step 4. Remove both interfaces belonging to the problematic inline set, which are Ethernet1/5 and Ethernet1/6 for this example, and save changes.

Inline Set Interface Removal

Step 5. On FMC navigate to Devices > Device Management, edit the desired FTD and navigate to the Interfaces tab, click on Sync Device button, save changes and deploy.

Inline Set FTD Sync After Removal

Step 6. Edit the logical device again, add the first interface (Ethernet1/5) again, and save the changes.

Inline Set First Interface Adding

Step 7. Click on Sync Device button, save changes, and deploy again.

FTD Sync After First Interface Adding

Step 8. Edit the logical device again, add the first interface (Ethernet1/6) once more, and save the changes.

Inline Set Second Interface Adding

Step 9. Repeat Step 5 by clicking on Sync Device button, saving changes, and then deploying.

FTD Sync After Second Interface Adding

Step 10. Configure the interfaces with the same parameters as before and add the inline set again.

Inline Set Configuring

This time, inline sets interface order is displayed in the expected way. Save changes and deploy one final time.

Note: Case Example section of this document is to be executed one more time to validate that interfaces IDs are now in the correct order.

Related Information

• Cisco Technical Support & Downloads