Identificar e Solucionar Problemas da Configuração Básica no FXOS

Introdução

Este documento descreve as etapas para ajudar a confirmar se o estado básico do Cisco Secure Firewall eXtensible Operating (FXOS) e a configuração estão corretos.

Pré-requisitos

Requisitos

A Cisco recomenda que você tenha conhecimento sobre:

• Cisco Secure Firewall eXtensible Operating (FXOS)
• Defesa contra ameaças (FTD) do Cisco Secure Firewall

Componentes Utilizados

As informações neste documento foram criadas a partir de dispositivos em um ambiente de laboratório específico. Todos os dispositivos usados neste documento começaram com uma configuração limpa (padrão). Se a rede estiver ativa, certifique-se de que você entenda o impacto potencial de qualquer comando.

• Cisco Secure Firewall eXtensible Operating 4110, versão 2.10.(1.179)
• Cisco Secure Firewall Threat Defense, versão 7.0.5

As informações neste documento foram criadas a partir de dispositivos em um ambiente de laboratório específico. Todos os dispositivos utilizados neste documento foram iniciados com uma configuração (padrão) inicial. Se a rede estiver ativa, certifique-se de que você entenda o impacto potencial de qualquer comando.

Informações de Apoio

O chassi do Cisco Secure Firewall é uma plataforma de última geração para soluções de segurança de rede e de contato. Um dispositivo lógico permite executar uma instância de aplicativo, ASA ou Cisco Secure Firewall Threat Defense (FTD).

Dependendo do dispositivo lógico adicionado, o tipo e a versão da instância do aplicativo são definidos.

Informações do chassi

Esses comandos ajudam a obter informações gerais do seu chassi (esteja tudo operável ou não) que informações coletam para o TAC para solucionar o erro do chassi.

Serial Number

O número de série é usado como um identificador do chassi. É necessário no caso de uma RMA de todo o chassi

FPR4110-04-A# scope chassis 1
FPR4110-04-A /chassis # show inventory
Chassis     PID          Vendor            Serial (SN)  HW Revision
-------    -----------   ----------------- -----------  -----------
1          FPR-4110-K9   Cisco Systems Inc JMX2136L03W  0

Versão do FXOS

FPR4110-04-A# show version
    Version: 2.10(1.179)
    Startup-Vers: 2.10(1.179)

Há duas maneiras de saber a versão do FXOS, esta inclui o firmware.

FPR4110-04-A# show fabric-interconnect firmware
Fabric Interconnect A:
    Running-Kern-Vers: 5.0(3)N2(4.101.103)
    Running-Sys-Vers: 5.0(3)N2(4.101.103)
    Package-Vers: 2.10(1.179)
    Startup-Kern-Vers: 5.0(3)N2(4.101.103)
    Startup-Sys-Vers: 5.0(3)N2(4.101.103)
    Act-Kern-Status: Ready
    Act-Sys-Status: Ready
    Bootloader-Vers:

Versão do carregador de inicialização

FPR4110-04-A# scope chassis 1
FPR4110-04-A /chassis # scope server 1
FPR4110-04-A /chassis/server # scope adapter 1
FPR4110-04-A /chassis/server/adapter # show version detail
Adapter 1:
Running-Vers: 5.10(1.53)
Package-Vers: 2.10(1.179)
Update-Status: Ready
Activate-Status: Ready
Bootloader-Update-Status: Ready
Startup-Vers: 5.10(1.53)
Backup-Vers: 5.10(1.57)
Bootloader-Vers: 4.0(1.62)

Horário da verificação

FPR4110-04-A# connect fxos
FPR4110-04-A(fxos)# show system uptime
System start time: Mon Oct 23 16:45:36 2023
System uptime: 98 days, 1 hours, 49 minutes, 36 seconds
Kernel uptime: 98 days, 1 hours, 40 minutes, 19 seconds
Active supervisor uptime: 98 days, 1 hours, 49 minutes, 36 second

show clock

FPR4110-04-A# show clock
Tue Jan 30 17:07:50 EST 2024 

Verificar servidor Ntp

FPR4110-04-A# scope system
FPR4110-04-A /system # scope services
FPR4110-04-A /system/services # show ntp-server
NTP server hostname:
Name Time         Sync Status
--------------    ----------------
172.16.254.131    Time Synchronized

Monitorando a integridade do chassi

Estes são alguns comandos para ajudar a solucionar problemas de status do hardware do chassi.

Verificar Ambiente

FPR4110-04-A# scope chassis 1
FPR4110-04-A /chassis # show environment expand detail
Chassis 1:
Overall Status: Power Problem
Operability: Operable
Power State: Redundancy Failed
Thermal Status: Ok

PSU 1:
Threshold Status: N/A
Overall Status: N/A
Operability: N/A
Power State: Off
Thermal Status: OK
Voltage Status: N/A

PSU 2:
Threshold Status: OK
Overall Status: Operable
Operability: Operable
Power State: On
Thermal Status: OK
Voltage Status: OK

Tray 1 Module 1:
Threshold Status: OK
Overall Status: Operable
Operability: Operable
Power State: On
Thermal Status: OK
Voltage Status: OK

Fan Module Stats:
Ambient Temp (C): 27.000000

 Fan 1:
Threshold Status: OK
Overall Status: Operable
Operability: Operable
Power State: On
Thermal Status: OK
Voltage Status: OK

 Fan 2:
Threshold Status: OK
Overall Status: Operable
Operability: Operable
Power State: On
Thermal Status: OK
Voltage Status: OK
...
 Server 1:
Name:
User Label:
Overall Status: Ok
Operability: Operable
Oper Power: On

 Adapter 1:
Threshold Status: N/A
Overall Status: Operable
Operability: Operable
Power State: On
Thermal Status: N/A
Voltage Status: N/A

 Motherboard:
Threshold Status: OK
Overall Status: N/A
Operability: N/A
Oper Power: On
Power State: Ok
Thermal Status: OK
Voltage Status: OK
CMOS Battery Voltage Status: Ok
Mother Board Power Usage Status: Ok

 Motherboard Temperature Statistics:
Motherboard Front Temperature (C): 19.000000
Motherboard Rear Temperature (C): 26.000000

 Memory Array 1:
Threshold Status: N/A
Overall Status: N/A
Operability: N/A
Power State: N/A
Thermal Status: N/A
Voltage Status: N/A

 DIMMs:

DIMM Threshold Status Overall Status Operability Power State Thermal Status Voltage Status
---- ---------------- --------------- ----------- ----------- --------------- --------------
1 N/A Operable N/A N/A OK N/A
2 N/A Removed N/A N/A N/A N/A
3 N/A Removed N/A N/A N/A N/A
4 N/A Operable N/A N/A OK N/A
5 N/A Removed N/A N/A N/A N/A
...

 CPU 1:
Threshold Status: N/A
Overall Status: Operable
Operability: Operable
Power State: N/A
Thermal Status: OK
Voltage Status: N/A

Mostrar falha

A lista de falhas mostra todos os problemas de hardware identificados nas plataformas Secure Firewall. Ela ajuda a obter um resumo das falhas ativas, bem como das falhas já eliminadas.

As falhas são mostradas em ordem cronológica. A gravidade reflete a importância da falha, enquanto a descrição fornece um breve resumo. O foco está principalmente na gravidade, no carimbo de hora e na descrição. A ordem de gravidade da falha da mais grave para a menos grave é:

• Crítico
• Principal
• Menor
• Aviso
• Informações/condição
• Limpo

FPR4110-04-A# show fault
Severity Code Last Transition Time ID Description
--------- ----- ----------------------- ------ -----------
Major F0276 2023-12-14T18:26:29.505 507308 ether port 2/2 on fabric interconnect A oper state: link-down, reason: Link failure or not-connected
Major F0276 2023-11-13T14:07:37.720 221350 ether port 1/1 on fabric interconnect A oper state: link-down, reason: Link failure or not-connected
Info F0279 2023-11-13T14:07:37.720 446504 ether port 1/7 on fabric interconnect A oper state: sfp-not-present
Major F0276 2023-11-07T08:10:50.143 434090 ether port 1/6 on fabric interconnect A oper state: link-down, reason: Link failure or not-connected
Major F0276 2023-11-07T08:10:49.941 434081 ether port 1/5 on fabric interconnect A oper state: link-down, reason: Link failure or not-connected
Major F0282 2023-07-31T17:52:04.764 201600 lan port-channel 7 on fabric interconnect A oper state: failed, reason: No operational members
Major F0282 2023-07-31T17:51:03.325 201446 lan port-channel 4 on fabric interconnect A oper state: failed, reason: No operational members
Major F0282 2023-07-31T17:49:00.451 201281 lan port-channel 2 on fabric interconnect A oper state: failed, reason: No operational members
Major F0282 2023-07-31T17:42:34.236 200638 lan port-channel 1 on fabric interconnect A oper state: failed, reason: No operational members
Major F0909 2023-06-19T14:02:55.642 99113 default Keyring's certificate is invalid, reason: expired.
Warning F1781 2012-01-11T02:21:44.215 90296 The password encryption key has not been set.
Info F0461 2011-12-31T21:32:43.448 35793 Log capacity on Management Controller on server 1/1 is very-low
Major F0408 2011-12-31T21:32:32.787 35497 Power state on chassis 1 is redundancy-failed
Warning F0528 2011-12-31T21:32:32.787 35498 Power supply 1 in chassis 1 power: off
Minor F1437 2011-12-31T21:31:08.462 32663 Config backup may be outdated
FPR4110-04-A# 

As falhas podem ser filtradas com base em causa, detalhes, gravidade ou falhas suprimidas.

FPR4110-04-A# show fault ?
0-18446744073709551615 ID 
<CR> 
> Redirect it to a file 
>> Redirect it to a file in append mode 
cause Cause 
detail Detail 
severity Severity 
suppressed Fault Suppressed 
| Pipe command output to filter 

FPR4110-04-A# show fault severity major
Severity Code Last Transition Time ID Description
--------- ----- ----------------------- ------ -----------
Major F0276 2023-12-14T18:26:29.505 507308 ether port 2/2 on fabric interconnect A oper state: link-down, reason: Link failure or not-connected
Major F0276 2023-11-13T14:07:37.720 221350 ether port 1/1 on fabric interconnect A oper state: link-down, reason: Link failure or not-connected
Major F0276 2023-11-07T08:10:50.143 434090 ether port 1/6 on fabric interconnect A oper state: link-down, reason: Link failure or not-connected
Major F0276 2023-11-07T08:10:49.941 434081 ether port 1/5 on fabric interconnect A oper state: link-down, reason: Link failure or not-connected
Major F0282 2023-07-31T17:52:04.764 201600 lan port-channel 7 on fabric interconnect A oper state: failed, reason: No operational members
Major F0282 2023-07-31T17:51:03.325 201446 lan port-channel 4 on fabric interconnect A oper state: failed, reason: No operational members
Major F0282 2023-07-31T17:49:00.451 201281 lan port-channel 2 on fabric interconnect A oper state: failed, reason: No operational members
Major F0282 2023-07-31T17:42:34.236 200638 lan port-channel 1 on fabric interconnect A oper state: failed, reason: No operational members
Major F0282 2023-07-31T17:41:34.673 200660 lan port-channel 3 on fabric interconnect A oper state: failed, reason: No operational members
Major F0408 2011-12-31T21:32:32.787 35497 Power state on chassis 1 is redundancy-faile

Problemas de fonte de alimentação

Para problemas de fonte de alimentação, um status de Problema de voltagem é o indicador de um problema.

FPR4110-04-A# scope chassis 1
FPR4110-04-A /chassis # show psu

PSU:
PSU Type Wattage (W) Overall Status
--- ---- ----------- --------------
 1 DV 0 N/A
 2 DV 1100 Operable

Problemas com o ventilador

Se houver falhas térmicas, provavelmente elas são um problema legítimo de hardware com resfriamento/ventiladores ou um falso positivo devido a um defeito de software. Se o status do ventilador for Inoperable ou degradado, entre em contato com o TAC para obter assistência adicional.

FPR4110-04-A# scope chassis 1
FPR4110-04-A /chassis # show fan-module
Fan Module:
Tray Module Overall Status
----------- --------- --------------
1 1 Operable
1 2 Operable
1 3 Operable
1 4 Operable
1 5 Operable
1 6 Operable

Mostrar evento

É importante verificar se há falhas no aplicativo FXOS para ver se o problema está no próprio blade ou se o aplicativo não consegue inicializar devido a um problema relacionado ao software.

FPR4110-04-A# scope chassis
FPR4110-04-A /chassis # scope server
FPR4110-04-A /chassis/server # scope fxos
FPR4110-04-A /chassis/server/fxos # show event
Creation Time ID Code Description
----------------------- ------- -------- -----------
2024-01-25T14:09:32.783 588408 E4197910 [FSM:STAGE:END]: Waiting for install license complete from blade 1/1(FSM-STAGE:sam:dme:OsControllerInitOS:HostWaitForLicInstalledComplete)
2024-01-25T14:09:32.783 588409 E4197611 [FSM:STAGE:SKIP]: Reboot blade 1/1(FSM-STAGE:sam:dme:OsControllerInitOS:RebootHostAfterUpgrade)
2024-01-25T14:09:32.783 588410 E4197611 [FSM:STAGE:END]: Reboot blade 1/1(FSM-STAGE:sam:dme:OsControllerInitOS:RebootHostAfterUpgrade)
2024-01-25T14:09:32.783 588411 E4197612 [FSM:END]: Init OS on blade 1/1(FSM:sam:dme:OsControllerInitOS)
2024-01-25T14:09:32.783 588412 E4197612 [FSM:STAGE:END]: (FSM-STAGE:sam:dme:OsControllerInitOS:success)
2024-01-25T14:09:32.782 588405 E4197909 [FSM:STAGE:STALE-SUCCESS]: Request for upgrade to blade 1/1(FSM-STAGE:sam:dme:OsControllerInitOS:RequestToInstallLicense)
2024-01-25T14:09:32.782 588406 E4197909 [FSM:STAGE:END]: Request for upgrade to blade 1/1(FSM-STAGE:sam:dme:OsControllerInitOS:RequestToInstallLicense)
2024-01-25T14:09:32.782 588407 E4197910 [FSM:STAGE:SKIP]: Waiting for install license complete from blade 1/1(FSM-STAGE:sam:dme:OsControllerInitOS:HostWaitForLicInstalledComplete)
2024-01-25T14:09:32.773 588404 E4197909 [FSM:STAGE:ASYNC]: Request for upgrade to blade 1/1(FSM-STAGE:sam:dme:OsControllerInitOS:RequestToInstallLicense)
2024-01-25T14:09:32.768 588401 E4197609 [FSM:STAGE:END]: Request for upgrade to blade 1/1(FSM-STAGE:sam:dme:OsControllerInitOS:RequestToUpgrade)
2024-01-25T14:09:32.768 588402 E4197610 [FSM:STAGE:SKIP]: Waiting for upgrade complete from blade 1/1(FSM-STAGE:sam:dme:OsControllerInitOS:HostWaitForUpgradeComplete)
2024-01-25T14:09:32.768 588403 E4197610 [FSM:STAGE:END]: Waiting for upgrade complete from blade 1/1(FSM-STAGE:sam:dme:OsControllerInitOS:HostWaitForUpgradeComplete)
FPR4110-04-A /chassis/server/fxos # 

Show System Reset-reason

Para recarregamentos inesperados de aplicativos/dispositivos, verifique se não existem núcleos para nenhum processo (FTD) e verifique crashinfo do ASA/Lina usando o comando show crash. Se eles não existirem, o problema provavelmente está relacionado ao FXOS e pode ser roteado usando a palavra-chave FXOS.

FPR4110-04-A# connect fxos
FPR4110-04-A(fxos)# show system reset-reason
----- reset reason for Supervisor-module 1 (from Supervisor in slot 1) ---
1) No time
Reason: Unknown
Service: 
Version: 5.0(3)N2(4.101)

2) No time
Reason: Unknown
Service: 
Version: 5.0(3)N2(4.101)
...

Problemas de alimentação na placa-mãe

FPR4110-04-A# scope chassis 1
FPR4110-04-A /chassis # scope server 1/1
FPR4110-04-A /chassis/server # show fsm status

Slot: 1
Server: sys/chassis-1/blade-1
 
FSM 1:
Remote Result: Not Applicable
Remote Error Code: None
Remote Error Description:
Status: Nop
Previous Status: Turnup Success
Timestamp: 2023-10-23T16:48:19.299
Try: 0
Flags: 0
Progress (%): 100
Current Task:

 FSM 2:
Status: Nop
Previous Status: Identify Success
Timestamp: 2023-10-23T16:47:33.592
Try: 0
Progress (%): 100
Current Task:

 FSM 3:
Status: Nop
Previous Status: Configure Success
Timestamp: 2023-10-23T16:48:16.739
Try: 0
Flags: 0
Progress (%): 100
Current Task:

FPR4110-04-A /chassis/server # show fault
Severity Code Last Transition Time ID Description
--------- ------- ------------------------ -------- -----------
Info F0461 2011-12-31T21:32:43.448 35793 Log capacity on Management Controller on server 1/1 is very-low

Dispositivos lógicos

Conforme indicado nas informações em segundo plano, um dispositivo lógico permite executar uma instância do aplicativo, seja ASA ou FTD.

Estes são alguns comandos para confirmar o status da instância do aplicativo instalada no chassi.

Instância de monitoramento

Mostrar Status do Servidor

Verifique se o slot e o status da detecção estão corretos.

FPR4110-04-A# show server status
Server Slot Status Overall Status Discovery
------- ------------ ------- ---------
1/1 Equipped Ok Complete

Mostrar slot

Visualize o nível de Log, o estado admin e o estado operável do slot.

FPR4110-04-A# scope ssa
FPR4110-04-A /ssa # show slot

Slot:
Slot ID Log Level Admin State Oper State
------- --------- ------------ ----------
1 Info Ok Online

Mostrar Instância do Aplicativo

Visualize o nome, a versão, o autor, quais tipos de implantação são suportados, o tipo de CSP e se é o aplicativo padrão usado.

FPR4110-04-A# scope ssa
FPR4110-04-A /ssa # show app
Name Version Author Supported Deploy Types CSP Type Is Default App
---- -------- ------ ---------------------- ----------- --------------
ftd 7.0.4-55 cisco Native,Container Application No
ftd 7.0.5-72 cisco Native,Container Application Yes

Show Logical-device

FPR4110-04-A# scope ssa
FPR4110-04-A /ssa # show logical-device

Logical Device:
Name Description Slot ID Mode Oper State Template Name
---- ----------- ------- ---------- ---------- -------------
FTD1 1 Standalone Ok ftd

Mostrar instância do aplicativo

Exiba as informações completas do estado operacional da instância do aplicativo, use show app-instance no escopo do slot.

Esse comando ajuda particularmente quando você cria ou atualiza a instância do aplicativo, como mostra o estado operacional se é Instalando ou On-line e a versão do software em execução.

FPR4110-04-A# scope ssa
FPR4110-04-A /ssa # scope slot 1
FPR4110-04-A /ssa/slot # show app-instance
Application Instance:
App Name Identifier Admin State Oper State Running Version Startup Version Deploy Type Turbo Mode Profile Name Cluster State Cluster Role
-------- ---------- ----------- ---------- --------------- --------------- ----------- ---------- ------------ -------------- ------------
ftd FTD1 Enabled Online 7.0.5-72 7.0.5-72 Native No Not Applicable None

Mostrar Detalhes da Instância do Aplicativo

FPR4110-04-A# scope ssa
FPR4110-04-A /ssa # show app-instance detail

App Name: ftd
Identifier: FTD1
Slot ID: 1
Admin State: Enabled
Oper State: Online
Running Version: 7.0.5-72
Startup Version: 7.0.5-72
Deploy Type: Native
Profile Name:
Cluster State: Not Applicable
Cluster Role: None
Current Job Type: Start
Current Job Progress: 100
Current Job State: Succeeded
Clear Log Data: Available
Error Msg:
Hotfixes:
Externally Upgraded: No
FPR4110-04-A /ssa #

Mostrar Detalhes do Recurso


Exibir alocação de recursos para a instância do aplicativo.

FPR4110-04-A# scope ssa
FPR4110-04-A /ssa # scope slot 1
FPR4110-04-A /ssa/slot # enter app-instance ftd FTD1
FPR4110-04-A /ssa/slot/app-instance # show resource detail

Resource:
Allocated Core NR: 22
Allocated RAM (MB): 52096
Allocated Data Disk (MB): 128685
Allocated Binary Disk (MB): 3907
Allocated Secondary Disk (MB): 0

Acesso do gerenciador de chassi

Acesso ao Servidor Web Local

Por padrão, o chassi Secure Firewall Threat Defense 4100/9300 nega todo o acesso ao servidor Web local. Você deve configurar sua lista de acesso de IP com uma lista de serviços permitidos para cada um dos seus blocos de IP.

A Lista de Acesso IP suporta protocolos:

• HTTPS

• SNMP

• SSH

FPR4110-04-A# scope system
FPR4110-04-A /system # scope services
FPR4110-04-A /system/services # show ip-block 

Permitted IP Block:
IP Address Prefix Length Protocol
---------- ------------- --------
0.0.0.0 0 https
0.0.0.0 0 snmp

O comando enter serve para configurar uma nova entrada.

FPR4110-04-A /system/services # enter ?
dns Domain Name Server hostname 
ip-block Permitted IP Block 
ipv6-block Permitted IPv6 Block 
ntp-server NTP server hostname 
ssh-host SSH Server public keys 

FPR4110-04-A /system/services # enter ip-block ?
a.b.c.d IP Address

FPR4110-04-A /system/services # enter ip-block 0.0.0.0 ?
0-32 Prefix Length 

FPR4110-04-A /system/services # enter ip-block 0.0.0.0 0 ?
https Https 
snmp Snmp 
ssh Ssh

FPR4110-04-A /system/services/ # enter ip-block 0.0.0.0 0 ssh
FPR4110-04-A /system/services/ip-block* # commit-buffer
FPR4110-04-A /system/services/ip-block # up
FPR4110-04-A /system/services # show ip-block 

Permitted IP Block:
IP Address Prefix Length Protocol
---------- ------------- --------
0.0.0.0 0 https
0.0.0.0 0 snmp
0.0.0.0 0 ssh

Interfaces do monitor

Verificar o IP de gerenciamento do chassi

FPR4110-04-A# show fabric-interconnect 

Fabric Interconnect:
ID OOB IP Addr OOB Gateway OOB Netmask OOB IPv6 Address OOB IPv6 Gateway Prefix Operability Ingress VLAN Group Entry Count (Current/Max) Switch Forwarding Path Entry Count (Current/Max)
--- ------------ ------------ --------------- ---------------- ---------------- ------ ----------- -------------------------------------------- ------------------------------------------------
A 172.16.244.72 172.16.244.65 255.255.255.192 :: :: 64 Operable 0/500 53/102

Show Mgmt-port

Determine o status da interface de gerenciamento.

FPR4110-04-A# connect local-mgmt 
FPR4110-04-A(local-mgmt)# 
FPR4110-04-A(local-mgmt)# show mgmt-port
eth0 Link encap:Ethernet HWaddr 50:0f:80:8e:a5:cd 
inet addr:172.16.244.72 Bcast:172.16.244.127 Mask:255.255.255.192
inet6 addr: fe80::520f:80ff:fe8e:a5cd/64 Scope:Link
inet6 addr: fe80::520f:80ff:fe8e:a5cd/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:7359566 errors:0 dropped:0 overruns:0 frame:0
TX packets:1147585 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000 
RX bytes:1735874306 (1.6 GiB) TX bytes:360530127 (343.8 MiB)

O ping pode ser usado para testar a conectividade.

FPR4110-04-A(local-mgmt)# ping 172.16.244.65
PING 172.16.244.65 (172.16.244.65) from 172.16.244.72 eth0: 56(84) bytes of data.
64 bytes from 172.16.244.65: icmp_seq=1 ttl=254 time=1.15 ms
64 bytes from 172.16.244.65: icmp_seq=2 ttl=254 time=1.38 ms
^C
--- 172.16.244.65 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 12ms
rtt min/avg/max/mdev = 1.146/1.364/1.479/0.122 ms
FPR4110-04-A(local-mgmt)# 

Definir Captura na Interface de Gerenciamento

Ative a interface de gerenciamento de MIO (capture on chassis, captura no chassi) (aplicável somente em FP41xx/FP93xx). Por padrão, ele captura apenas pacotes de 10 bits.

FPR4110-04-A# connect fxos
FPR4110-04-A(fxos)# ethanalyzer local interface mgmt
Capturing on 'eth0'
1 2024-01-30 16:15:56.149887591 fe80::6a9e:bff:fed5:678c → ff02::2 ICMPv6 70 Router Solicitation from 68:9e:0b:d5:67:8c
2 2024-01-30 16:15:56.635897727 80:b7:09:32:f2:a0 → ff:ff:ff:ff:ff:ff ARP 60 Who has 172.16.244.65? Tell 172.16.244.106
3 2024-01-30 16:15:56.650081622 c4:72:95:76:df:97 → 01:80:c2:00:00:00 STP 60 RST. Root = 0/12/2c:31:24:b1:6b:00 Cost = 4 Port = 0x8017
4 2024-01-30 16:15:57.170356692 172.16.244.72 → 172.16.254.131 NTP 90 NTP Version 3, client
5 2024-01-30 16:15:57.234298977 172.16.254.131 → 172.16.244.72 NTP 90 NTP Version 3, server
6 2024-01-30 16:15:58.656444769 c4:72:95:76:df:97 → 01:80:c2:00:00:00 STP 60 RST. Root = 0/12/2c:31:24:b1:6b:00 Cost = 4 Port = 0x8017
7 2024-01-30 16:15:59.170382028 172.16.244.72 → 172.16.254.131 NTP 90 NTP Version 3, client
8 2024-01-30 16:15:59.233556065 172.16.254.131 → 172.16.244.72 NTP 90 NTP Version 3, server
9 2024-01-30 16:15:59.352654266 0.0.0.0 → 255.255.255.255 DHCP 368 DHCP Discover - Transaction ID 0x328ec1b7
10 2024-01-30 16:16:00.150684560 fe80::6a9e:bff:fed5:678c → ff02::2 ICMPv6 70 Router Solicitation from 68:9e:0b:d5:67:8c
10 packets captured
Program exited with status 0

O Ethanalyzer também pode ser usado na interface de entrada. As opções são logs de alta ou baixa prioridade.

FPR4110-04-A(fxos)# ethanalyzer local interface ?
inbound-hi Inbound(high priority) interface
inbound-low Inbound(low priority) interface
mgmt Management interface

Um filtro pode ser usado na captura.

FPR4110-04-A(fxos)# ethanalyzer local interface ?
inbound-hi Inbound(high priority) interface
inbound-low Inbound(low priority) interface
mgmt Management interface

show interface

Esse comando mostra a lista e o estado atual da interface no chassi como uma breve descrição do motivo de cada estado operável.

FPR4110-04-A# scope eth-uplink 
FPR4110-04-A /eth-uplink # scope fabric a
FPR4110-04-A /eth-uplink/fabric # show interface

Interface:
Port Name Port Type Admin State Oper State Allowed Vlan State Reason
----------- --------- ----------- ---------- ------------ ------------
Ethernet1/1 Data Enabled Link Down All Link failure or not-connected
Ethernet1/2 Data Disabled Admin Down All Administratively down
Ethernet1/3 Data Enabled Up All Port is enabled and up
Ethernet1/4 Data Enabled Up All Port is enabled and up
Ethernet1/5 Data Enabled Link Down All Link failure or not-connected
Ethernet1/6 Data Enabled Link Down All Link failure or not-connected
Ethernet1/7 Data Enabled Sfp Not Present All Unknown
Ethernet1/8 Mgmt Enabled Up All Port is enabled and up
Ethernet2/2 Data Enabled Link Down All Link failure or not-connected
Ethernet2/5 Data Disabled Sfp Not Present All Unknown
Ethernet2/6 Data Disabled Sfp Not Present All Unknown
Ethernet2/7 Data Disabled Sfp Not Present All Unknown
Ethernet2/8 Data Disabled Sfp Not Present All Unknow

Conforme mencionado anteriormente, as falhas indicam quaisquer problemas de hardware identificados nas plataformas do Secure Firewall. Você pode verificar as falhas em diferentes escopos para restringir os problemas em cada escopo. Este exemplo mostra as falhas no eth-uplink.

FPR4110-04-A# scope eth-uplink 
FPR4110-04-A /eth-uplink # show fault
Severity Code Last Transition Time ID Description
--------- ------ ------------------------ ------- -----------
Major F0727 2024-01-29T20:31:54.282 597025 lan Member 2/3 of Port-Channel 1 on fabric interconnect A is down, membership: down
Major F0727 2024-01-29T20:31:54.282 597023 lan Member 2/4 of Port-Channel 1 on fabric interconnect A is down, membership: down
Major F0282 2023-07-31T17:52:04.764 201600 lan port-channel 7 on fabric interconnect A oper state: failed, reason: No operational members
Major F0282 2023-07-31T17:51:03.325 201446 lan port-channel 4 on fabric interconnect A oper state: failed, reason: No operational members
Major F0282 2023-07-31T17:49:00.451 201281 lan port-channel 2 on fabric interconnect A oper state: failed, reason: No operational members
Major F0282 2023-07-31T17:42:34.236 200638 lan port-channel 1 on fabric interconnect A oper state: failed, reason: No operational members
Major F0282 2023-07-31T17:41:34.673 200660 lan port-channel 3 on fabric interconnect A oper state: failed, reason: No operational member

Show Port-channel

Isso mostra o número de canais de porta configurados no chassi, bem como seu status geral.

Você pode ir para um escopo de canal de porta específico para obter as informações dos membros.

Se você vir o canal de porta como Failed, entre em contato com o TAC para obter assistência adicional, pois este é um exemplo de canal de porta defeituoso.

FPR4110-04-A# scope eth-uplink
FPR4110-04-A /eth-uplink # scope fabric a
FPR4110-04-A /eth-uplink/fabric # show port-channel
Port Channel:
Port Channel Id Name Port Type Admin State Oper State Port Channel Mode Allowed Vlan State Reason
--------------- -------------- --------- ----------- ---------- ----------------- ------------ ------------
1 Port-channel1 Data Enabled Failed Active All No operational members
2 Port-channel2 Data Enabled Failed Active All No operational members
3 Port-channel3 Data Enabled Failed Active All No operational members
4 Port-channel4 Data Enabled Failed Active All No operational members
7 Port-channel7 Data Enabled Failed Active All No operational members

FPR4110-04-A /eth-uplink/fabric # scope port-channel 1
FPR4110-04-A /eth-uplink/fabric/port-channel # show member

Member Port:
Port Name Membership Oper State State Reason
----------- ---------- ---------------- ------------
Ethernet2/3 Down Sfp Not Present Unknown
Ethernet2/4 Down Sfp Not Present Unknown

Use o comando show port-channel summary para exibir todos os canais de porta no dispositivo, bem como seus membros

FPR4110-04-A# connect fxos
FPR4110-04-A(fxos)# show port-channel summary
Flags: 
D - Down 
P - Up in port-channel (members)
I - Individual H - Hot-standby (LACP only)
s - Suspended r - Module-removed
S - Switched R - Routed
U - Up (port-channel)
M - Not in use. Min-links not met
--------------------------------------------------------------------------------
Group Port-Channel Type Protocol Member Ports
--------------------------------------------------------------------------------
1 Po1(SD) Eth LACP Eth2/3(D) Eth2/4(D) 
2 Po2(SD) Eth NONE --
3 Po3(SD) Eth NONE --
4 Po4(SD) Eth NONE --
7 Po7(SD) Eth NONE --

Informações Relacionadas

• Gerar Arquivo de Solução de Problemas de FXOS
• Responda às perguntas frequentes sobre o Firepower eXtensible Operating System (FXOS)
• Definir e solucionar problemas de configurações de NTP em dispositivos Firepower
• Configurar e verificar o canal de porta em dispositivos Firepower