Cisco Firepower Troubleshoot File Generation Procedures

Introduction

This document describes how to generate a troubleshoot file on a Cisco Firepower. A troubleshoot file contains a collection of log messages, configuration data, and command outputs. It is used to determine the status of the Firepower hardware and software. If a Cisco engineer requests you to send a troubleshoot file from your Firepower device, you can use the instructions provided in this document.

Prerequisites

Cisco recommends that you have knowledge of the following products:

• Firepower Management Center (FMC)
• Firepower Threat Defense (FTD)
• FirePOWER (SFR) service module running on ASA
• Firepower eXtensible Operating System (FXOS)

Note: You can use an FMC to generate a troubleshoot file for the management appliance itself, or for any managed devices. The instructions on this document is applicable on an FMC that runs software Version 5.0 or later.

Warning: The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Using the Web Interface of FMC

Generate a Troubleshoot File

Complete these steps in order to generate troubleshoot files:

1. In the version 6.x, navigate to System > Health > Monitor on the management appliance web interface in order to reach the Health Monitor page.
   
   In the version 5.x, navigate to Health > Health Monitor on the management appliance web interface in order to reach the Health Monitor page.
   
   
2. In order to expand the appliance list and view the appliances with a particular status, click the arrow at the end of the row:
   
   
   

   Tip: If the arrow at the end of the row for a status level points down, the appliance list for that status appears in the lower table. If the arrow points right, the appliance list is hidden.

3. In the Appliance column of the appliance list, click the name of the appliance for which you want to view details. The Health Monitor Appliance page appears.
   
   
4. Click Generate Troubleshooting Files. The Troubleshooting Options pop-up window appears.
   
   
5. Check the All Data check box in order to generate a report with all of the possible troubleshooting data, or check the individual check boxes in order to customize your report:
   
   
6. Click Generate and the Management Center generates the troubleshoot files.
   
   

   Tip: In version 6.x, in order to monitor the file generation process in task status, navigate to Message Center icon (an option between Deploy and System) > Tasks. In version 5.x, in order to monitor the file generation process in the task queue, navigate to System > Monitoring > Task Status.

Download a Troubleshoot File

In order to download a copy of your generated troubleshoot file, go to the Task Status page on your FMC. In version 6.x, navigate to Message Center icon ( an option between Deploy and System) > Tasks on the management appliance web interface in order to reach the Task Status page. In version 5.x, navigate to System > Monitoring > Task Status on the management appliance web interface in order to reach the Task Status page.

On 6.x:

On 5.x:

Once the appliance generates a troubleshoot file, the task status changes to Completed. You can locate the task that corresponds to the troubleshoot files that you generated. Click the Click to retrieve generated files link and follow the browser prompts in order to download the file. The files are downloaded to your desktop in a single .tar.gz file.

Using the Command Line Interface (CLI)

If you attempt to use the generation method that is described in the previous sections and are unable to access the management appliance web interface, or if there is a connectivity issue between the management appliance and the managed devices, then you will not be able to generate the troubleshoot file. In this case, you can use the CLI of your appliance in order to generate the troubleshoot file.

Firepower Management Center

Enter this command on the Firepower Management Center in order to generate a troubleshoot file:

admin@FMC:~$ sudo sf_troubleshoot.pl 

Starting /usr/local/sf/bin/sf_troubleshoot.pl...
Please, be patient.  This may take several minutes.
Troubleshooting information successfully created at /var/common/xxxxxx.tar.gz

Firepower Devices

Enter this command on FirePOWER devices/modules and virtual managed devices in order to generate a troubleshoot file:

> system generate-troubleshoot all

Starting /usr/local/sf/bin/sf_troubleshoot.pl...
Please, be patient.  This may take several minutes.
The troubleshoot option code specified is ALL.
Troubleshooting information successfully created at /var/common/xxxxxx.tar.gz

Firepower eXtensible Operating System (FXOS)

You can obtain a troubleshoot file directly from your Firepower eXtensible Operating System (FXOS). To generate a file, you need to connect to the device's management address using Secure Shell (SSH). Once you are in the FXOS CLI, follow the steps below to generate the file:

FP4150# connect local-mgmt
FPr4150(local-mgmt)# show tech-support fprm detail

Initiating tech-support information task on FABRIC A ...
Completed initiating tech-support subsystem tasks (Total: 1)
All tech-support subsystem tasks are completed (Total: 1[received]/1[expected])

The detailed tech-support information is located at workspace:///techsupport/20170116170843_FP4150_FPRM.tar

FP4150(local-mgmt)#

The fprm keyword generates a troubleshoot file for the Firepower Platform Management. Similarly, the system also allows you to generate troubleshoot files from chassis and security module.

FP4150(local-mgmt)# show tech-support ?
  chassis  Chassis
  fprm     Firepower Platform Management
  module   Security Module

Once a troubleshoot file is generated, you can find it in the workspace. Run the following command to confirm:

FP4150(local-mgmt)# dir workspace:/techsupport

1 9912320 Jan 16 17:10:07 2012 20170116170843_FP4150_FPRM.tar

Usage for workspace://
4032679936 bytes total
43540480 bytes used
3784286208 bytes free

FP4150(local-mgmt)#

Note: If you successfully generate files using all three parameters (fprm, chassis, module), you should see them in the /techsupport directory.

Copy a Troubleshoot File with CLI

Before you copy a file from FXOS to your computer, ensure the following items:

• The firewall on your local computer accepts incoming connection over any necessary ports. For example, if you copy a file over Secure Shell, your computer must be allowing connections from any related ports, such as, port 22.
• You computer must be running the Secure Copy (SCP) service. You can find various SSH/SCP server softwares in the internet. However, Cisco does not provide support for installing and configuring any particular SCP server.

Firepower Management Center

Enter this command on the Firepower Management Center in order to copy a troubleshoot file:

admin@FMC:~$ sudo scp troubleshoot_file_name username@destination_host:destination_folder

Firepower Devices

Enter this command on FirePOWER devices and virtual managed devices in order to copy a troubleshoot file:

> system file secure-copy hostname username destination_folder troubleshoot_file

Note: In this example, the hostname refers to the name or IP address of the target remote host, the username specifies the name of the user on the remote host, the destination_folder specifies the destination path on the remote host, and the troubleshoot_file specifies the local troubleshoot file for transfer.

Firepower eXtensible Operating System (FXOS)

To copy a troubleshoot file from your Firepower eXtensible Operating System (FXOS) to your local computer, run the following command on your Firepower appliance:

FP4150(local-mgmt)# copy workspace:/techsupport/filename scp://username@X.X.X.X