You have the FMC installed and connect to FTD device with configuration deployed but for what ever reason there is a problem and you need to enter the CLI on the Firepower device to troubleshoot the equipment and although you can’t configure anything you can do show and debug commands to troubleshoot via the CLI.
We have to enter the Diagnostic CLI and we can do this in two ways:
- Once logged into the Firepower default prompt type system support diagnostic-cli command.
> system support diagnostic-cli Attaching to Diagnostic CLI ... Press 'Ctrl+a then d' to detach. Type help or '?' for a list of available commands. firepower#
- The other way is to go into expert mode followed by using the sudo lina_cli command.
host-172-16-1-187 login: admin Password: Last login: Sun Jul 23 17:30:34 UTC 2017 on ttyS0 > expert admin@host-172-16-1-187:~$ sudo lina_cli We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. Password: Attaching to Diagnostic CLI ... Press 'Ctrl+a then d' to detach. Type help or '?' for a list of available commands. firepower> en Password: ******** Invalid password Password: firepower#
If we look at the show version we can see in this example we are running ASA code with FXOS running with it.
firepower# show version ---------------[ host-172-16-1-187 ]---------------- Model : Cisco Firepower Threat Defense for KVM (75) Version 126.96.36.199 (Build 51) UUID : 3b5ca718-6fc3-11e7-a879-c553f010958b Rules update version : 2017-06-07-001-vrt VDB version : 281 ---------------------------------------------------- Cisco Adaptive Security Appliance Software Version 9.7(1)10 Firepower Extensible Operating System Version 2.1(1.66) Compiled on Wed 10-May-17 09:41 PDT by builders System image file is "(hd0,0)/asa971-4-smp-k8.bin" Config file at boot was "startup-config" firepower up 37 mins 39 secs Hardware: ASAv, 8192 MB RAM, CPU Pentium II 3600 MHz, 1 CPU (4 cores) Model Id: ASAv30 BIOS Flash Firmware Hub @ 0x0, 0KB 0: Int: Internal-Data0/0 : address is fa16.3ee6.43df, irq 11 1: Ext: GigabitEthernet0/0 : address is fa16.3ebf.f299, irq 10 2: Ext: GigabitEthernet0/1 : address is fa16.3e8b.53bc, irq 10 3: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0 4: Int: Internal-Data0/0 : address is 0000.0000.0000, irq 0 5: Ext: Management0/0 : address is fa16.3ee6.43df, irq 0 6: Int: Internal-Data0/1 : address is 0000.0000.0000, irq 0 Serial Number: 9AXESJTCR3F Image type : Release Key version : A Configuration last modified by enable_1 at 18:24:33.151 UTC Sun Jul 23 2017
If you worked in the Cisco ASA world before you might find the CLI a refreshing memory because all of your debugs, show outputs and the packet tracer troubleshooting tool are all there. You might be asking well its good to see the configuration but how do I configure something that may not be in the FMC? Well we can use something called FlexConfig and is available from FMC 6.2.0 and onward.