Troubleshoot FTD Unable to Reach Cisco Cloud for Threat Data Updates

Available Languages

Download Options

  • PDF     (69.8 KB)
    View with Adobe Reader on a variety of devices
Updated:May 19, 2026
Document ID:225936

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Contents

Issue

A newly deployed Cisco Secure Firewall (CSF) 1230 appliance is unable to reach the Cisco Cloud, preventing Threat Defense updates from being downloaded. These error messages are displayed in the system:

  • "Threat Data Updates on Devices - Cisco Cloud Configuration - Unable to reach Cisco Cloud from the device. Please check the network connection."

  • "Cisco Support Diagnostics Configuration - failure."

Health_Alert

The firewalls appear to be functioning properly in all other aspects, but the cloud connectivity failure is preventing the devices from receiving critical threat intelligence updates from Cisco's cloud-based services.

Environment

  • FTD Software Version: 7.7.11. Other software versions can be also affected.

  • HW: CSF1230. Other platforms can be also affected.

Resolution

Reference (most common causes)

For this alert pair on FTD, the most common causes are:

  • Domain Name System (DNS) resolution for the Cisco cloud endpoint fails.

  • Outbound connectivity from the management plane is blocked.

  • Proxy is interfering.

  • The management interface reaches the Internet through NAT but the NAT configuration is incorrect.

In this case, the issue was resolved by configuring the required translation rules for the newly deployed FTD appliances.

These steps were taken to restore cloud connectivity:

Step 1. Identify Missing NAT Rules

The investigation revealed that the absence of proper NAT rules was preventing the firewalls from establishing connectivity to the Cisco Cloud services. These NAT rules are essential for the firewalls to properly route traffic to Cisco's cloud-based threat intelligence services.

Step 2. Configure Translation Rules

The required NAT rules were added to the customer's network configuration to support the new firewalls' cloud connectivity requirements. These rules enable the firewall devices to successfully communicate with Cisco's cloud infrastructure for threat data updates.

Step 3. Verify Cloud Connectivity

After implementing the NAT rules, the firewalls were able to successfully connect to the Cisco Cloud. The previously displayed error messages were cleared, and the devices began receiving threat intelligence updates as expected.

The resolution was achieved through configuration changes on the customer's network infrastructure rather than modifications to the firewall devices themselves, ensuring that the cloud connectivity requirements for the new firewalls were properly addressed.

Cause

The root cause of the connectivity issue was the absence of required NAT rules in the customer's network configuration.

Related Content

Revision History

Revision Publish Date Comments
1.0
19-May-2026
Initial Release
TAC Authored

Contributed by Cisco Engineers

  • Mikis Zafeiroudis
    Cisco TAC Engineer
  • Ilkin Gasimov
    Cisco TAC Engineer

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products