Cisco Firepower Virtual Appliances for VMware Troubleshooting

This section provides information about the most common setup issues, as well as where to submit questions or obtain assistance.

Time Synchronization

If your health monitor indicates that the clock setup for your virtual appliance is not synchronized, check your system policy time synchronization settings. Cisco recommends that you synchronize your virtual appliances to a physical NTP server. Do not synchronize your managed devices (virtual or physical) to a Virtual Cisco Firepower Management Center. To ensure your time synchronization is set up correctly, see Synchronizing Time in the Firepower Management Center Configuration Guide. After you determine that the clock setup for your virtual appliance is correct, contact your ESXi host administrator and ensure that the server’s time configuration is correct.

Performance Issues

If you are having performance issues, remember that there are several factors that affect your virtual appliance. See Virtual Appliance Performance for a list of the factors that may affect your performance. To monitor ESXi host performance, you can use your vSphere Client and the information found under the Performance tab.

Connectivity Issues

You can view and confirm connectivity for the management and sensing interfaces using VMware vCloud Director Web Portal and vSphere Client.

Using VMware vCloud Director Web Portal

You can use VMware vCloud Director web portal to view and confirm that the management connection and sensing interfaces are properly connected.

To confirm connectivity:

1. Select My Cloud > VMs, hover over the virtual appliance you want to view, and right-click.

2. On the Actions window, click Properties.

3. On the Hardware tab, view the NICs for the management and sensing interfaces to confirm connectivity.

Using vSphere Client

You can use vSphere Client to confirm that the management connection and sensing interfaces are properly connected.

Management Connection

During initial setup, it is important to ensure that network adapter connects at power on. If you do not, the initial management connection setup cannot properly complete and ends with the message:

ADDRCONF (NETDEV_UP): eth0: link is not ready

To ensure that the management connection is connected:

1. Right-click the name of the virtual appliance in the vSphere Client and select Edit Settings. Select Network adapter 1 in the Hardware list and make sure the Connect at power on check box is selected.

When the initial management connection completes properly, check the /var/log/messages directory for this message:

ADDRCONF (NETDEV_CHANGE): eth0: link becomes ready

Sensing Interfaces

During initial setup, it is important to ensure that sensing interfaces connect at power on.

To ensure that the sensing interfaces connect at power on:

1. Right-click the name of the virtual device in the vSphere Client and select Edit Settings. Select Network adapter 2 and Network adapter 3 in the Hardware list. Make sure the Connect at power on check box is selected for each adapter in use.

You must connect your virtual device sensing interfaces to a virtual switch or virtual switch group that accepts promiscuous mode traffic. If it is not, your device can detect only broadcast traffic.

What to Do Next

Inline Interface Configurations

You can verify that your inline interfaces are symmetrical and that traffic is flowing between them. To open the VMware console to your virtual device, use either VMware vCloud Director web portal or vSphere Client.

To ensure that the inline sensing interfaces are configured properly:

1. At the console, log in as a user with CLI Configuration (Administrator) privileges.

2. Type expert to display the shell prompt.

3. Enter the command: cat /proc/sf/sfe1000.*

A text file appears with information similar to this example:

SFE1000 driver for eth1 is Fast, has link, is bridging, not MAC filtering, MAC timeout 7500, Max Latency 0.
39625470 packets received.
0 packets dropped by user.
13075508 packets sent.
0 Mode 1 LB Total 0 Bit 000...
.
.
SFE1000 driver for eth2 is Fast, has link, is bridging, not MAC filtering, MAC timeout 7500, Max Latency 0.
13075508 packets received.
0 packets dropped by user.
39625470 packets sent.
0 Mode 1 LB Total 0 Bit 00

Note that the number of packets received on eth1 matches those sent from eth2 and those sent from eth1 match those received on eth2.

4. Log out of the virtual device.

5. Optionally, and if direct routing to the protected domain is supported, ping the protected virtual appliance where the inline interface of the virtual device is connected.

Pings return to indicate there is connectivity through the inline interface set of the virtual device.

For Assistance

Thank you for using Cisco products.

Cisco Support

If you have any questions or require assistance with the Cisco ASA appliances, please contact Cisco Support: