FMC deploy stucked/cannot login to FMC?

  1. ssh to FMC, expert, sudo su
  2. /etc/rc.d/init.d/console restart
  3. OmniQuery.pl -db mdb -e “select status,category,hex(uuid),body from notification;” | grep “\ 7\ “
  4. OmniQuery.pl -db mdb -e ‘delete from notification where uuid=unhex(“HEX-NUMBER-FROM-OUTPUT”);’
  5. OmniQuery.pl -db mdb -e “select status,category,hex(uuid),body from notification;” | grep “\ 7\ “

source1, source2

ACS 5.8 to ISE 3.0 migration: The server selected protocol version TLS10 is not accepted by client preferences [TLS12]

Tried to migrate ACS 5.8 to ISE 3.0 but I was getting following message: “The server selected protocol version TLS10 is not accepted by client preferences [TLS12]”.
Since TLS 1.0 is disabled by default I had to enable it in java control panel (Oracle java 1.8) and also edit file C:\Program Files (x86)\Java\jre1.8.<some_version>\lib\security\java.security, remove TLSv1 from option jdk.tls.disabledAlgorithms and finally restart the migration application.

You can do the same in linux environment for openjdk by editing /usr/lib/jvm/java-11-openjdk-amd64/conf/security/java.security

Tnx to stackoverflow

Use Talos IP Blacklist on your ASA

Create bash script:

#!/bin/bash
    wget -q https://talosintelligence.com/documents/ip-blacklist
    ipblack=( $(cut -d ';' -f2 ip-blacklist ) )
    echo "conf t"
    for ip in "${ipblack[@]}"
        do
        echo "name $ip TALOS_BLACKLIST_$ip"
    done

    echo "no object-group network TALOS_BLACKLIST"
    echo "object-group network TALOS_BLACKLIST"
    for ip in "${ipblack[@]}"
        do
        echo "network-object host $ip"
    done
    echo "!"
    echo "exit"

Run it, copy-paste output to your ASA:

        ./talos-ipblacklist.sh > talos-blacklist.cfg

Source

SSH not working after upgrade

I upgraded ubuntu to focal 20.04 and SSH was unable to negotiate with network devices I tried to ssh on.
Solution was found here, or simpy editing /etc/ssh/ssh_conf by adding following lines to the end of the file:

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
MACs hmac-md5,hmac-sha1,umac-64@openssh.com
KexAlgorithms diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
HostKeyAlgorithms ssh-rsa,ssh-dss

Reimage/downgrade Firepower FTD 1100/2100

I had some problems while downgrading so here are my steps.

Documentation is not really clear about this, so here are the steps.

  1. from fxos, reformat system
    firepower-2110# connect local-mgmt
    firepower-2110(local-mgmt)# format everything
    All configuration and bootable images will be lost.
    Do you still want to format? (yes/no):yes
  2. enter rommon and boot via tftp
    rommon 1 > address 10.86.118.4
    rommon 2 > netmask 255.255.250.0
    rommon 3 > server 10.86.118.21
    rommon 4 > gateway 10.86.118.1
    rommon 5 > file cisco-asa-fp2k.9.8.2.SPA
    rommon 6 > set
    rommon 7 > sync
    rommon 8 > tftp -b
  3. everything is erased so you have to reconfigure your mgmt interface
    firepower-2110# scope fabric-interconnect a
    firepower /fabric-interconnect* # set out-of-band static ip 10.86.118.4 netmask 255.255.250.0 gw 10.86.118.21
    firepower /fabric-interconnect* # commit-buffer
  4. download image (could not get USB to mount so I used ftp)
    firepower # scope firmware
    firepower /firmware # download image ftp://user@10.86.118.21/cisco-asa-fp2k.9.8.2.SPA
    check status:
    firepower /firmware # show download-task
  5. install image
    look at version you want to install:
    firepower /firmware # show package
    firepower /firmware # scope auto-install
    firepower /firmware/auto-install # install security-pack version
    check status (wait for Update Software Pack Completed):
    firepower /firmware # show
  6. configure ftd/initial configuration
    firepower /firmware # connect ftd