Troubleshoot FDM-Managed Devices
Use the following article to troubleshoot your FDM-managed devices:
Troubleshoot the Executive Summary Report
You may go to generate a Network Operations Report and not see the results you are expecting, or any data at all. In some cases, the summaries may display No data available. Consider the following scenarios:
-
Security Cloud Control polls for events every hour from the time the device is onboarded. Some scheduled events can trigger multiple jobs that are polled at varying time intervals, from every 10 minutes, 60 minutes, 6 hours, or 24 hours. If the selected devices have just been onboarded, there may not be enough time to collect and compile data.
-
You may have insufficient smart licenses. Only devices that have sufficient licenses generate data. See FDM-Managed Device Licensing Types to determine which smart licenses you required to generate the desired data.
-
Logging is not enabled for access control rules. See Logging Settings in an FDM-Managed Access Control Rule for more information.
-
The time range you selected may have an insufficient amount of data to display, or an access control rule may not have been triggered within the selected time range. Toggle between the Time Range options and determine if a different time period affects the report.
Troubleshoot FDM-Managed Device Onboarding
Connectivity
-
Check device connectivity with a ping. Try to ping FP management IP address from ASA directly. If the ICMP blocks communication from outside, you will not be able to ping FP management interface from the Internet. cUrl / wget helps to check if FP management interface is accessible on configured IP/Port.
-
Check ASA and/or ASDM software versions for compatibility. See Hardware and Software Supported by Security Cloud Control for more information.
-
Use the ASA logs to identify if Security Cloud Control traffic is blocked by the ASA. Through SSH, attempts to connect to FP HTTP management interface are logged in /var/log/httpd/httpsd_access_log.
Module Misconfiguration
-
Unsupported configuration. Security Cloud Control may not be able to support the device's configuration if the module does not meet specific requirements.
HTTP Authentication
-
Security Cloud Control issues an token-based SSO to authenticate an ASA device during the onboarding process. A token issue may be caused by attempt to onboard FP module from non-admin context in case of ASA in multi-context mode. Invalid tokens are identified as ASDM SSO logins in /var/log/mojo/mojo.log a
Failed Because of Insufficient License
If the device connectivity status shows "Insufficient License", do the following:
-
Wait for some time until the device attains the license. Typically it takes some time for Cisco Smart Software Manager to apply a new license to the device.
-
If the device status doesn't change, refresh the Security Cloud Control portal by signing out from Security Cloud Control and signing back to resolve any network communication glitch between license server and device.
-
If the portal refresh doesn't change the device status, perform the following:
Procedure
Step 1 |
Generate a new new registration key from Cisco Smart Software Manager and copy it. You can watch the Generate Smart Licensing video for more information. |
Step 2 |
In the left pane, click the page. |
Step 3 |
Click the Devices tab. |
Step 4 |
Click the appropriate device type tab and select the device with the Insufficient License state. |
Step 5 |
In the Device Details pane, click Manage Licenses appearing in Insufficient Licenses. The Manage Licenses window appears. |
Step 6 |
In the Activate field, paste the new registration key and click Register Device. |
Once the new registration key is applied successfully to the device, its connectivity state turns to Online.
Troubleshoot Device Unregistered
The FDM-managed device may have been unregistered from the cloud via Firewall device manager.
Perform the following to register the device again on the cloud:
Procedure
Step 1 |
In the page, click the Devices tab. |
Step 2 |
Click the FTD tab and select the device in the "Device Unregistered" state, and see the error message on the right. |
Step 3 |
If the unregistered device was onboarded using the registration key, Security Cloud Control prompts you to generate a new registration key as the previously applied key has expired.
|
Step 4 |
If the unregistered device was onboarded using the serial number, Security Cloud Control prompts you to auto-enroll the device from Firewall device manager.
|
Troubleshooting Device Registration Failure during Onboarding with a Registration Key
Failed to Resolve Cloud Service FQDN
If the device registration fails due to failure in resolving cloud service FQDN, check network connectivity or the DNS configuration and attempt to onboard the device again.
Failed Because of an Invalid Registration Key
If the device registration fails due to an invalid registration key, which may occur when you paste incorrect registration key in Firewall device manager.
Copy the same registration key from Security Cloud Control again and attempt to register the device. If the device is already smart licensed, ensure that you remove the smart license before pasting the registration key in firewall device manager.
Failed Because of Insufficient License
If the device connectivity status shows "Insufficient License", do the following:
-
Wait for some time until the device attains the license. Typically it takes some time for Cisco Smart Software Manager to apply a new license to the device.
-
If the device status doesn’t change, refresh the Security Cloud Control portal by signing out from Security Cloud Control and signing back to resolve any network communication problems between license server and device.
-
If the portal refresh doesn’t change the device status, perform the following:
-
Generate a new new registration key from Cisco Smart Software Manager and copy it. You can watch the Generate Smart Licensing video for more information.
-
In the left pane, click the page.
-
Select the device with the Insufficient License state.
-
In the Device Details pane, click Manage Licenses appearing in Insufficient Licenses. The Manage Lincenses window opens.
-
In the Activate field, paste the new registration key and click Register Device.
-
-
Once the new registration key is applied successfully to the device, its connectivity state turns to Online.
Troubleshoot Intrusion Prevention System
What are my IPS policy options?
Every onboarded device is automatically associated a Security Cloud Control-provided IPS policy called "Default Overrides". Security Cloud Control generates a new IPS policy for every FDM-managed device, so there may be multiple policies with this name. If you want to use the default IPs policy but modify the signature overrides options, see Firepower Intrusion Policy Signature Overrides for more information. Note that configuring different signature overrides per device may cause the default overrides policy to become inconsistent.
How do I have a different IPS policy for every device?
Security Cloud Control generates a new IPS policy for every FDM-managed device, so there may be multiple policies with this name. You do not have to rename the Security Cloud Control-provided IPS policy after each device is onboarded. Expanding the policy displays the devices that are associated with it, and you can also filter the threat events page and the signature overrides page per device or policy. To customize the default overrides policy, configure signature overrides per device. This will cause the default overrides intrusions policy to become inconsistent, but this does not inhibit any functionality.
I onboarded a device that has an override configured from an FDM-managed device.
Overrides that are configured outside of Security Cloud Control do not pose an issue to device configuration or functionality.
If you onboard a device that has an override already configured and this new device shares an IPs policy with a device that does not have an override, the IPS policy will be displayed as inconsistent. See Step 3 in Firepower Intrusion Policy Signature Overrides to address inconsistencies.
Troubleshooting SSL Decryption Issues
Handling Web Sites Where Decrypt Re-sign Works for a Browser but not an App (SSL or Certificate Authority Pinning)
Some apps for smart phones and other devices use a technique called SSL (or Certificate Authority) pinning. The SSL pinning technique embeds the hash of the original server certificate inside the app itself. As a result, when the app receives the resigned certificate from the FDM-managed device, the hash validation fails and the connection is aborted.
The primary symptom is that users cannot connect to the web site using the site's app, but they can connect using the web browser, even when using the browser on the same device where the app fails. For example, users cannot use the Facebook iOS or Android app, but they can point Safari or Chrome at https://www.facebook.com/ and make a successful connection.
Because SSL pinning is specifically used to avoid man-in-the-middle attacks, there is no workaround. You must choose between the following options:
-
Support app users, in which case you cannot decrypt any traffic to the site. Create a Do Not Decrypt rule for the site's application (on the Application tab for the SSL Decryption rule) and ensure that the rule comes before any Decrypt Re-sign rule that would apply to the connections.
-
Force users to use browsers only. If you must decrypt traffic to the site, you will need to inform users that they cannot use the site's app when connecting through your network, that they must use their browsers only.
More Details
If a site works in a browser but not in an app on the same device, you are almost certainly looking at an instance of SSL pinning. However, if you want to delve deeper, you can use connection events to identify SSL pinning in addition to the browser test.
There are two ways an app might deal with hash validation failures:
-
Group 1 apps, such as Facebook, send an SSL ALERT Message as soon as it receives the SH, CERT, SHD message from the server. The Alert is usually an "Unknown CA (48)" alert indicating SSL Pinning. A TCP Reset is sent following the Alert message. You should see the following symptoms in the event details:
-
SSL Flow Flags include ALERT_SEEN.
-
SSL Flow Flags do not include APP_DATA_C2S or APP_DATA_S2C.
-
SSL Flow Messages typically are: CLIENT_HELLO, SERVER_HELLO, SERVER_CERTIFICATE, SERVER_KEY_EXCHANGE, SERVER_HELLO_DONE.
-
-
Group 2 apps, such as Dropbox, do not send any alerts. Instead they wait until the handshake is done and then send a TCP Reset. You should see the following symptoms in the event:
-
SSL Flow Flags do not include ALERT_SEEN, APP_DATA_C2S, or APP_DATA_S2C.
-
SSL Flow Messages typically are: CLIENT_HELLO, SERVER_HELLO, SERVER_CERTIFICATE, SERVER_KEY_EXCHANGE, SERVER_HELLO_DONE, CLIENT_KEY_EXCHANGE, CLIENT_CHANGE_CIPHER_SPEC, CLIENT_FINISHED, SERVER_CHANGE_CIPHER_SPEC, SERVER_FINISHED.
-
Download Button for CA Certificate is Disabled
The download button is disabled for certificates (self signed and uploaded) that are staged on Security Cloud Control but have not been deployed back to the device yet. A certificate can be downloaded only after deploying it to the device.
Troubleshoot FDM-Managed Device Onboarding Using Serial Number
-
Provisioning Error
Claim Error
Invalid Serial Number
An incorrect serial number has been entered while claiming the device in Security Cloud Control.
Resolution
-
Delete the FDM-managed device instance in Security Cloud Control.
-
Create a new FDM-managed device instance by entering the correct serial number and claim the device.
Device Serial Number Already Claimed
The following error occurs when you are onboarding the FDM-managed device using its serial number.
Cause
This error can occur for one of the following reasons:
-
The device may have been purchased from an external vendor, and the device is in the vendor's tenancy.
-
The device may have been previously managed by another Security Cloud Control instance in a different region and is registered to its cloud tenancy.
Resolution
You need to unregister the device's serial number from other cloud tenancy and then reclaim it in your tenant.
Prerequisite
The device must be connected to the Internet that can reach the cloud tenancy.
Device Purchased from an External Vendor
The device purchased from an external vendor may have been registered to the vendor's cloud tenancy.
-
Delete the device instance from Security Cloud Control.
-
Install the FXOS image on the device. For more information, see the "Reimage Procedures" chapter of the Cisco FXOS Troubleshooting Guide for the Firepower 1000/21000 with FTD guide.
-
Connect to the FXOS CLI from the console port.
-
Log in to FXOS using your current admin password.
-
In the FXOS CLI, connect to local-mgmt: firepower # connect local-mgmt.
-
Execute the command to deregister the device from the cloud tenancy. firepower(local-mgmt) # cloud deregister.
-
On successful deregistration, the CLI interface returns a success message.
Example: firepower(local-mgmt) # cloud deregister Release Image Detected RESULT=success MESSAGE=SUCCESS 10, X-Flow-Id: 2b3c9e8b-76c3-4764-91e4-cfd9828e73f9
If the device was already unregistered from the cloud tenancy, the CLI interface indicates that the device serial number was not registered with cloud tenancy. RESULT=success MESSAGE=DEVICE_NOT_FOUND: Device with serial number JAD213082x9 is not registered with Security Services Exchange , X-Flow-Id: 63e48b4c-8426-48fb-9bd0-25fcd7777b99
-
Claim the device again in Security Cloud Control by providing its serial number. See Onboard an FDM-Managed Device using the Device Serial Number for more information.
-
Install the FDM-managed device application (version 6.7 or later) on the device. The zero-touch provisioning is initiated on the device and it registers itself in the Cisco Cloud. Security Cloud Control onboards the device.
Onboard an FDM-Managed Device Already Managed by Another Cloud Tenancy in a Different Region
The device may have been previously managed by another Security Cloud Control instance in a different region and is registered to its cloud tenancy.
Case 1: You have access to the tenant that owns the device.
-
Delete the device instance from the Security Cloud Control in region 1.
-
In Firewall device manager, go to page. A warning message appears indicating that the device has been removed from Security Cloud Control.
-
Click the link and select Unregister Cloud Services from the drop-down list.
-
Read the warning and click Unregister.
-
Claim the device from Security Cloud Control in region 2.
-
In Firewall device manager, go to and select the Auto-enroll with Tenancy from Security Cloud Control option and click Register. The device maps to the new tenant that belongs to the new region and Security Cloud Control onboards the device.
Case 2: You don't have access to the tenant that owns the device.
-
Connect to the FXOS CLI from the console port.
-
Log in to FXOS using your current admin password.
-
In the FXOS CLI, connect to local-mgmt: firepower # connect local-mgmt.
-
Execute the command to deregister the device from the cloud tenancy. firepower(local-mgmt) # cloud deregister.
-
On successful deregistration, the CLI interface returns a success message.
Example: firepower(local-mgmt) # cloud deregister Release Image Detected RESULT=success MESSAGE=SUCCESS 10, X-Flow-Id: 2b3c9e8b-76c3-4764-91e4-cfd9828e73f9
The device is unregistered from the cloud.
-
Claim the device from Security Cloud Control in region 2.
-
In Firewall device manager, go to and select the Auto-enroll with Tenancy from Security Cloud Control option and click Register. The device maps to the new tenant that belongs to the new region and Security Cloud Control onboards the device.
Device is Offline
Cause
The device is unable to reach the Cisco Cloud due to one of the following reasons:
-
The device is cabled incorrectly.
-
Your network may require a static IP address for the device.
-
Your network uses custom DNS, or there is external DNS blocking on the customer network.
-
PPPoE authentication is needed. (Common in Europe region.)
-
The FDM-managed device is behind a proxy.
Resolution
-
Sign in to the device and go through the bootstrap CLI process or the Security Cloud Control Easy setup process to configure the device first so it can reach the Internet.
-
Check the cabling and network connectivity.
-
Ensure that your firewall is not blocking any traffic.
-
Ensure that the Security Services Exchange domains are reachable. See Configuration Prerequisites for Hardware Installation for more information.
Failed to Claim the Device
Cause
This error may occur due to one of the following reasons:
-
Security Services Exchange may have temporary issues.
-
The server may be down.
Resolution
-
Delete the FDM-managed device instance in Security Cloud Control.
-
Create a new FDM-managed device instance and claim the device again after some time.
Note |
If you are not able to claim the device, go to the workflows to see the error message and send the details to the Security Cloud Control support team. |
Provisioning Error
Device Password Has Not Been Changed
When claiming the device from Security Cloud Control, the device's initial provisioning may fail and display an "Unprovisioned" message in the Security Devices page.
Cause
You may have selected the "Default Password Changed" option in the Security Cloud Control FDM-managed device serial number onboarding wizard for a new FDM-managed device whose default password was not changed.
Resolution
You need to click Enter Password in the Security Devices page to change the device's password. Security Cloud Control continues with the new password and onboards the device.
Device Password Has Already Been Changed
When claiming the device from Security Cloud Control, the device's initial provisioning may fail and display an "Unprovisioned" message in the Security Devices page.
Cause
You may have selected the "Default Password Not Changed" option in the Security Cloud Control FDM-managed device serial number onboarding wizard for an FDM-managed device whose default password has already been changed.
Resolution
You need to click Confirm and Proceed in the Security Devices page to ignore the new password provided in the serial onboarding wizard. Security Cloud Control continues with the old password and onboards the device.
For Other Errors
For all other provisioning errors, you can click Retry to reinitiate the provisioning. If it fails even after multiple retries, perform the following steps:
-
Delete the FDM-managed device instance from Security Cloud Control and create a new instance. See Onboard an FDM-Managed Device using the Device Serial Number for onboarding steps.
-
In Firewall device manager, go to and select the Auto-enroll with Tenancy from Security Cloud Control option and clickRegister.
Troubleshoot FDM-Managed HA Creation
Event Description Error
If you attempt to onboard or create an FDM-managed HA pair in Security Cloud Control, the HA pair may fail to form and you may see an error with the following message:
Event description: CD App Sync error is Cisco Threat Response is enabled on Active but not on Standby
If you see this error, then one or both of the devices within the HA pair is not configured to allow the devices to send events to the a Cisco cloud server such as Security Cloud Control, Firepower Threat Response, Or the Cisco Success Network.
You must enable the Send Events to the Cisco Cloud feature from the Firewall device manager UI. See the Configuring Cloud Services chapter of the Firepower Device Manager Configuration Guide of the version you are running for more information.
One of my devices is in a bad state after creating HA
If one of the devices falls into an unhealthy or failed state during HA creation, break the HA pair and resolve the device's state, then recreate HA. The failover history might help diagnose the issue.