You may experience issues when attempting to onboard an ASA FirePOWER device to CDO. Note that some of these troubleshooting methods requires root access to the device.
- Check device connectivity with a ping. Try to ping FP management IP address from ASA directly. If the ICMP blocks communication from outside, you will not be able to ping FP management interface from the Internet. cUrl / wget helps to check if FP management interface is accessible on configured IP/Port.
- Check ASA and/or ASDM software versions for compatibility. See Hardware and Software Supported by CDO for more information.
If the ASA's management interface uses a public IP address and the ASA FirePOWER module's management interface uses a public IP address, then you can manage the ASA FirePOWER module with Cisco Defense Orchestrator in the cloud.
If the ASA's management interface uses a private IP address and the ASA FirePOWER services module's management interface uses private IP addresses, then you must use an on-premise Secure Device Connector to manage the device. See Deploying an On-Prem CDO Secure Device Connector (SDC) for more information.
- Use the ASA logs to identify if CDO traffic is blocked by the ASA. Through SSH, attempts to connect to FP HTTP management interface are logged in /var/log/httpd/httpsd_access_log.
- Unsupported configuration. CDO may not be able to support the device's configuration if the module does not meet specific requirements. See ASA prerequisites in Onboard an ASA Device for more information about configuration requirements and certificate support.
- If you experience issues with an ASA model, the prerequisites for a model in Onboard a Model ASA Device.
- CDO issues an token-based SSO to authenticate an ASA device during the onboarding process. A token issue may be caused by attempt to onboard FP module from non-admin context in case of ASA in multi-context mode. Invalid tokens are identified as ASDM SSO logins in /var/log/mojo/mojo.log a
- Onboarding or authentication may fail if you onboard an ASA firePOWER HA pair during a failover, or before a failover has successfully resumed device roles. CDO may try to generate SSO token on the active deivce while simultaneously trying to authenticate with the token from standby device. Because the standby device does not have the store the token for the pair, the API call is rejected.