Skip to main content

 

 

Cisco Defense Orchestrator

Troubleshoot FTD Onboarding using Serial Number

Provisioning Error 

Device Password Has Not Been Changed

When claiming the device from CDO, the device's initial provisioning may fail and display an "Unprovisioned" message in the Devices & Services page.

Cause

You may have selected the "Default Password Changed" option in the CDO FTD serial onboarding wizard for a new FTD device whose default password was not changed.

Resolution 

You need to click Enter Password in the Devices & Services page to change the device's password.​​​​ CDO continues with the new password and onboards the device.

Device Password Has Already Been Changed

When claiming the device from CDO, the device's initial provisioning may fail and display an "Unprovisioned" message in the Devices & Services page.

Cause

You may have selected the "Default Password Not Changed" option in the CDO FTD serial onboarding wizard for an FTD device whose default password has already been changed.

Resolution 

You need to click Confirm and Proceed in the Devices & Services page to ignore the new password provided in the serial onboarding wizard. CDO continues with the old password and onboards the device.

For Other Errors

For all other provisioning errors, you can click Retry to reinitiate the provisioning. If it fails even after multiple retries, perform the following steps:

  1. Delete the FTD device instance from CDO and create a new instance. See Onboard an FTD using the Device Serial Number for onboarding steps.
  2. In FDM, go to System Settings > Cloud Services and select the Auto-enroll with Tenancy from Cisco Defense Orchestrator option and click Register.

Claim Error

Invalid Serial Number

Invalid_SerialNumber.jpg

Cause

An incorrect serial number has been entered while claiming the device in CDO. 

Resolution

  1. Delete the FTD device instance in CDO.
  2. Create a new FTD device instance by entering the correct serial number and claim the device.

Device Serial Number Already Claimed

The following error occurs when you are onboarding the FTD device using its serial number. 

Serial_Number_AlreadyClaimed.jpg

Cause

This error can occur for one of the following reasons:

  • The device may have been purchased from an external vendor, and the device is in the vendor's tenancy. 
  • The device may have been previously managed by another CDO instance in a different region and is registered to its cloud tenancy.

Resolution 

You need to unregister the device's serial number from other cloud tenancy and then reclaim it in your tenant. 

Prerequisite

The device must be connected to the Internet that can reach the cloud tenancy.

Device Purchased from an External Vendor

The device purchased from an external vendor may have been registered to the vendor's cloud tenancy.

  1. Delete the device instance from CDO.
  2. Install the FXOS image on the device. For more information, see the "Reimage Procedures" chapter of the Cisco FXOS Troubleshooting Guide for the Firepower 1000/21000 with FTD guide.
  3. Connect to the FXOS CLI from the console port.
  4. Log in to FXOS using your current admin password. 
  5. In the FXOS CLI, connect to local-mgmt:
    firepower # connect local-mgmt
  6. Execute the command to deregister the device from the cloud tenancy.
    firepower(local-mgmt) # cloud deregister
  7. On successful deregistration, the CLI interface returns a success message.

Example:
firepower(local-mgmt) # cloud deregister
Release Image Detected
RESULT=success
MESSAGE=SUCCESS 10, X-Flow-Id: 2b3c9e8b-76c3-4764-91e4-cfd9828e73f9

If the device was already unregistered from the cloud tenancy, the CLI interface indicates that the device serial number was not registered with cloud tenancy.

   RESULT=success
   MESSAGE=DEVICE_NOT_FOUND: Device with serial number JAD213082x9 is not registered with SSE,
   X-Flow-Id: 63e48b4c-8426-48fb-9bd0-25fcd7777b99

  1. Claim the device again in CDO by providing its serial number. See Onboard an FTD using the Device Serial Number for more information.
  2. Install the FTD application (version 6.7 or later) on the device. 
    The low-touch provisioning is initiated on the device and it registers itself in the Cisco Cloud.
    CDO onboards the device.
Onboard an FTD device Already Managed by Another Cloud Tenancy in a Different Region

The device may have been previously managed by another CDO instance in a different region and is registered to its cloud tenancy.

Case 1: You have access to the tenant that owns the device.

  1. Delete the device instance from the CDO in region 1. 
  2. In FDM, go to System Settings > Cloud Services page. 
    A warning message appears indicating that the device has been removed from CDO. 
  3. Click the Cloud Services link and select Unregister Cloud Services from the gear (Gear/Settings button.) drop-down list.
  4. Read the warning and click Unregister.
  5. Claim the device from CDO in region 2.
  6. In FDM, go to System Settings > Cloud Services and select the Auto-enroll with Tenancy from Cisco Defense Orchestrator option and click Register.
    The device maps to the new tenant that belongs to the new region and CDO onboards the device.

Case 2: You don't have access to the tenant that owns the device.

  1. Connect to the FXOS CLI from the console port.
  2. Log in to FXOS using your current admin password. 
  3. In the FXOS CLI, connect to local-mgmt:
    firepower # connect local-mgmt
  4. Execute the command to deregister the device from the cloud tenancy.
    firepower(local-mgmt) # cloud deregister
  5. On successful deregistration, the CLI interface returns a success message.

Example:
firepower(local-mgmt) # cloud deregister
Release Image Detected
RESULT=success
MESSAGE=SUCCESS 10, X-Flow-Id: 2b3c9e8b-76c3-4764-91e4-cfd9828e73f9

The device is unregistered from the cloud. 

  1. Claim the device from CDO in region 2.
  2. In FDM, go to System Settings > Cloud Services and select the Auto-enroll with Tenancy from Cisco Defense Orchestrator option and click Register.
    The device maps to the new tenant that belongs to the new region and CDO onboards the device.

Device is Offline

Device_Offline.jpg

Cause

The device is unable to reach the Cisco Cloud due to one of the following reasons: 

  • The device is cabled incorrectly.
  • Your network may require a static IP address for the device.
  • Your network uses custom DNS, or there is external DNS blocking on the customer network.
  • PPPoE authentication is needed. (Common in Europe region.)
  • The FTD is behind a proxy.

Resolution

  1. Sign in to the device and go through the bootstrap CLI process or the FDM Easy setup process to configure the device first so it can reach the Internet.
  2. Check the cabling and network connectivity. 
  3. Ensure that your firewall is not blocking any traffic. 
  4. Ensure that the SSE domains are reachable. See Configuration Prerequisites for Hardware Installation for more information.

Failed to Claim the Device

Cause

This error may occur due to one of the following reasons:

  • SSE may have temporary issues.
  • The server may be down.

Resolution

  1. Delete the FTD device instance in CDO.
  2. Create a new FTD device instance and claim the device again after some time. 

Note: If you are not able to claim the device, go to the workflows to see the error message and send the details to the CDO support team.