Cisco Firepower Virtual Appliances for VMware Troubleshooting
This section provides information about the most common setup issues, as well as where to submit questions or obtain assistance.
If your health monitor indicates that the clock setup for your virtual appliance is not synchronized, check your system policy time synchronization settings. Cisco recommends that you synchronize your virtual appliances to a physical NTP server. Do not synchronize your managed devices (virtual or physical) to a Virtual Cisco Firepower Management Center. To ensure your time synchronization is set up correctly, see Synchronizing Time in the Firepower System Configuration Guide. After you determine that the clock setup for your virtual appliance is correct, contact your ESXi host administrator and ensure that the server’s time configuration is correct.
: If you set up a Firepower Management Center Virtual on VMware with manual time, it will (by default) take time from the host. Although you can configure an ESX/ESXi host as an NTP server, it is not a VMware best practice to do so. VMware considers it best practice to have your ESX/ESXi hosts configured to an authoritative time (NTP) server.
If you are having performance issues, remember that there are several factors that affect your virtual appliance. See Virtual Appliance Performance for a list of the factors that may affect your performance. To monitor ESXi host performance, you can use your vSphere Client and the information found under the Performance tab.
You can view and confirm connectivity for the management and sensing interfaces using the vSphere Client.
Using vSphere Client
You can use vSphere Client to confirm that the management connection and sensing interfaces are properly connected.
During initial setup, it is important to ensure that network adapter connects at power on. If you do not, the initial management connection setup cannot properly complete and ends with the message:
ADDRCONF (NETDEV_UP): eth0: link is not ready
To ensure that the management connection is connected:
1. Right-click the name of the virtual appliance in the vSphere Client and select Edit Settings. Select Network adapter 1 in the Hardware list and make sure the Connect at power on check box is selected.
When the initial management connection completes properly, check the
ADDRCONF (NETDEV_CHANGE): eth0: link becomes ready
/var/log/messages directory for this message:
During initial setup, it is important to ensure that sensing interfaces connect at power on.
To ensure that the sensing interfaces connect at power on:
1. Right-click the name of the virtual device in the vSphere Client and select Edit Settings. Select Network adapter 2 and Network adapter 3 in the Hardware list. Make sure the Connect at power on check box is selected for each adapter in use.
You must connect your virtual device sensing interfaces to a virtual switch or virtual switch group that accepts promiscuous mode traffic. If it is not, your device can detect only broadcast traffic.
What to Do Next
- See the Cisco NGIPSv Quick Start Guide for VMware for information on how to ensure your sensing interfaces detect all exploits.
Inline Interface Configurations
You can verify that your inline interfaces are symmetrical and that traffic is flowing between them. To open the VMware console to your virtual device, use the vSphere Client.
To ensure that the inline sensing interfaces are configured properly:
1. At the console, log in as a user with CLI Configuration (Administrator) privileges.
expert to display the shell prompt.
3. Enter the command:
A text file appears with information similar to this example:
SFE1000 driver for eth1 is Fast, has link, is bridging, not MAC filtering, MAC timeout 7500, Max Latency 0.
39625470 packets received.
0 packets dropped by user.
0 Mode 1 LB Total 0 Bit 000...
SFE1000 driver for eth2 is Fast, has link, is bridging, not MAC filtering, MAC timeout 7500, Max Latency 0.
13075508 packets received.
0 packets dropped by user.
0 Mode 1 LB Total 0 Bit 00
Note that the number of packets received on
eth1 matches those sent from
eth2 and those sent from
eth1 match those received on
4. Log out of the virtual device.
5. Optionally, and if direct routing to the protected domain is supported, ping the protected virtual appliance where the inline interface of the virtual device is connected.
Pings return to indicate there is connectivity through the inline interface set of the virtual device.
Thank you for using Cisco products.
If you have any questions or require assistance with the Cisco ASA appliances, please contact Cisco Support: