If a device retrieval does not complete, there are a number of possible causes.
This article will cover the common ones and how to resolve them.
Before going through these steps we recommend you verify that you have completed the steps to add your device as covered in our guides.
While most stand alone firewalls use just SSH, some use extra ports and management stations will use ports specific to each vendor.
Our guides cover this in more detail.
The guides are available from the User Center.
https://usercenter.firemon.com/Documentation
Retrieval Logs
Each device has its own retrieval log and this is updated for each retrieval attempt.
The logs are located on the DC that the device is assigned to.
The log location is based on the device type and several different values for the device.
These values can include device management IP address, virtual firewall name (VDOM/VSYS/Context) and the device ID in Security Manager
To find the exact log location you can run this command on the DC for the device
fmos logview -fT /var/log/firemon/dc/DataCollector.log |grep -w 'Log file'
and start a manual retrieval.
The exact log location will be shown in messages like these
Log file ["/var/log/firemon/dc/108/devpack.log"]
or
Log file ["/var/log/firemon/dc/10.250.0.190_79/devpack.log"]
Here are some examples for recent FMOS versions.
9.7 and later
fmos logview -fT /var/log/firemon/dc/x.x.x.x_id/devpack.log
where x.x.x.x is the ip address of the device and id is the device ID in Security Manager.
fmos logview -fT /var/log/firemon/dc/x.x.x.x_yyy_id/devpack.log
where x.x.x.x is the ip address of the device, yyy is the virtual firewall name and id is the device ID in Security Manager.
9.3 to 9.6
fmos logview -fT /var/log/firemon/dc/x.x.x.x/devpack.log
where x.x.x.x is the ip address of the device.
fmos logview -fT /var/log/firemon/dc/x.x.x.x_yyy/devpack.log
where x.x.x.x is the ip address of the device and yyy is the virtual firewall name.
9.2 and earlier
fmos logview -fT /var/log/firemon/dc/x.x.x.x/x.x.x.x.log
where x.x.x.x is the ip address of the device.
fmos logview -fT /var/log/firemon/dc/x.x.x.x_yyy/x.x.x.x_yyy.log
where x.x.x.x is the ip address of the device and yyy is the virtual firewall name.
Once the command is running, you can start a manual retrieval for the device via the Administration section, Device page.
The new retrieval should roll over the log and the messages appear in real time.
The log should show where the retrieval is failing, the retrieval is complete if this message is displayed at the end of the log
Retrieval work complete, notifying peer
Connection from DC to the device
If the DC is unable to connect to the device, you can use the curl command to test connectivity to the IP address and port
curl -v telnet://x.x.x.x:yy
where x.x.x.x is the device IP address and yy is the port.
A successful connection should have a immediate reply like this
curl -v telnet://10.250.0.190:22
* Rebuilt URL to: telnet://10.250.0.190:22/
* Trying 10.250.0.190...
* TCP_NODELAY set
* Connected to 10.250.0.190 (10.250.0.190) port 22 (#0)
SSH-1.99-Cisco-1.25
Note: this example is using a Cisco, your results will depend on the device and version.
A connection that times out will look like this after a few seconds
curl -v telnet://10.250.0.191:22
* Rebuilt URL to: telnet://10.250.0.191:22/
* Trying 10.250.0.191...
* TCP_NODELAY set
* connect to 10.250.0.191 port 22 failed: No route to host
* Failed to connect to 10.250.0.191 port 22: No route to host
* Closing connection 0
curl: (7) Failed to connect to 10.250.0.191 port 22: No route to host
SSH Encryption
The SSH connection requires the SSH client (DC) and the server (firewall device) agree on the encryption for the connection.
Some older devices may not support recent algorithms
Open a SSH session to the DC for the device, then run
ssh x.x.x.x
where x.x.x.x is the IP address of the device.
If a prompt or a fingerprint confirmation is displayed then the connection worked.
If the connection does not work and a error is displayed, possibly one of these.
Unable to negotiate with 10.250.0.190 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
Protocol major versions differ: 2 vs. 1
Then the DC and device could not negotiate the connection.
You can get more information by enabling verbose logging on the ssh connection
ssh -vvv x.x.x.x
By default, FMOS no longer supports older ciphers and algorithms that are no longer considered secure by the Open SSH community.
More details can be found here, as well as the option to enable them.
https://supportcenter.firemon.com/hc/en-us/articles/4402677733779-SSH-retrievals-fail-on-FMOS-9-3
If the SSH connection can still not negotiate a connection, then you will need to enable newer encryption methods on the device or update the device software to support them.
If you wish to test the ssh connection with the older ciphers and algorithms, you can run the command with these extra options
ssh x.x.x.x -o KexAlgorithms=+diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 -o HostKeyAlgorithms=+ssh-dss -o Ciphers=+aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
where x.x.x.x is the device IP address.
Device Credentials
The retrieval process needs to login to the device using a username and password, if these are not correct you will see a message like this in the log
Failed to log in with: INVALID_CREDENTIALS.
You will need to check the credentials are correct before continuing.
To test, you can try logging in directly to the device with the same credentials.
Please ensure that there are no messages to be acknowledged or passwords that have expired.
Retrieval timeout
If the retrieval log appears to stall at sending a command to the device and a new retrieval gets to the same place, this could be caused by the device having a large config and the retrieval timing out before it is complete.
Please edit the device in the Administration section, then expand the Advanced section and increase the "Retrieval Timeout in Seconds"
We recommend you double it and then test again.
If you are still having device retrieval issues, please open a Support ticket for further assistance.
Comments
0 comments
Article is closed for comments.