This section deals with connection problems that might occur when connecting an external management computer to cOS Stream. It is assumed that the 300 Series system has been successfully powered up and initial management connection is first being attempted over a network to a physical Ethernet interface.

If the management Ethernet interface does not respond after the 300 Series has powered up and cOS Stream has started, the following steps can be used to help troubleshoot connection problems:

1. Check that the correct Ethernet interface is being used.

The most obvious problem is that the wrong Ethernet interface has been used for the initial connection. Only the first interface found by cOS Stream is will allow the initial management connection after cOS Stream starts for the first time.

2. Check that interface characteristics match.

If a firewall's Ethernet interface characteristics are configured manually then the interface on an external computer or switch to which it is connected should be configured with the same characteristics. For example, link speed settings should match. This problem will not occur if the interfaces are set for automatic configuration on both sides.

3. Check that the management computer IP/Network is configured correctly.

Check that the IP address and network of the management computer Ethernet interface is configured correctly so it can communicate with the management interface of the firewall.

4. Is the management interface properly connected?

Where relevant, check the link LED lights on the connected Ethernet interface. This can identify a cable problem.

5. Using the ifstat CLI command.

To investigate a connection problem further, connect a computer running console emulation software directly to the local console port on the firewall. Once cOS Stream has started, it should respond with the standard CLI prompt when the enter key is pressed. Now enter the following command once for each interface:

Device:/> ifstat <if-name>

Where <if-name> is the name of the management interface. This will display a number of counters for that interface. The ifstat command on its own can list the names of all the interfaces.

If the Input counters in the hardware section of the output are not increasing then the error is likely to be in the cabling. However, it may simply be that the packets are not getting to the firewall in the first place. This can be confirmed with a packet sniffer, if it is available.

If the Input counters are increasing, the management interface may not be attached to the correct physical network. There may also be a problem with the routing information in any connected hosts or routers.

6. Using the arpsnoop CLI command.

A diagnostic test to try with IPv4 connections is using the console command:

Device:/> arpsnoop all

This will display console messages that show all the ARP packets being received on the different interfaces and confirm that the correct cables are connected to the correct interfaces. To look at the ARP activity only a particular interface, follow the command with the interface name:

Device:/> arpsnoop <interface>

To switch snooping off, use the command:

Device:/> arpsnoop none

7. Check the management access rules for a network connection.

When connecting to the default management interface over a network connection, check that the management access rules are correctly configured to allow access through the interface and from the desired source IP range. These rules can be displayed with the CLI command:

Device:/> show RemoteManagement