topic ASA: 9.4(1) in Network Security

SFR module stopped passing traffic

hoffa2000 — Tue, 12 Mar 2019 12:45:55 GMT

I've had a serious problem over the past few days. One of my Firepower modules in a active/standby inline fail-open set of ASA5525-Xs stopped passing traffic on two occasions, immediate solution was to fail over to the standby 5525 but failing back to the primary 5525 stopped traffic once more.

I'm certain it's the Firepower module that's causing the problem. I've got a selective ACL sending some internal subnets to the module, skipping others and an ANY ANY at the end. Those subnets skipped by the ACL are reachable, the one sent to the module are not.

During the outage my Defence Center doesn't show anything out of the ordinary. I'm running 5.4.0.3-37 on the modules and 5.4.1.2 on the DC.

First question would be if anyone has heard of this before? And second if there is some way for me to trouble shoot this further?

Regards

/Fredrik

What version of ASA code are

Justin Walker — Sat, 19 Sep 2015 14:19:05 GMT

What version of ASA code are you currently running?

I have had this happen with the file policy configured with the "Inspect Archives" option checked. https://tools.cisco.com/bugsearch/bug/CSCut39253/?reffering_site=dumpcr

I have also had this happen with an ASA configured with the in the monitor-only mode: https://tools.cisco.com/quickview/bug/CSCus15229

I've had pretty good luck with ASA code 9.4.1 and the most recent updates of both the FirePOWER Sensor code and FireSIGHT management code.

Hi Justin.Very interesting

hoffa2000 — Wed, 07 Oct 2015 05:37:34 GMT

Hi Justin.

Very interesting reading. A verified bug matching a problem is always promising. Since reading this I've promptly disabled the "Inspect Archive" option. I'm running ASA version 9.3(3) by the way.

Update: Since disabling the Inspect Archive feature I haven't had any more lock ups. There is also a 5.4.0.4 release for the SFR modules that promises to fixhe bug but I haven't updated yet.

/Fredrik

Hi Fredik, Have you got NFE

wigevicisco — Mon, 19 Oct 2015 20:39:24 GMT

Hi Fredik,

Have you got NFE port Down in the alarms? it happens to me and a reboot helped me over it. I had been through a troubleshooting proccess with a TAC Ing and found out major problems with our hardware itself.

Hope it helps,

Wilson

HiI can't say I recognize

hoffa2000 — Tue, 20 Oct 2015 07:41:13 GMT

I can't say I recognize that message. My logs at the time the problems occurred were pretty silent

/Fredrik

I have had this problem twice

CRadoumis — Fri, 13 Nov 2015 09:10:32 GMT

I have had this problem twice now on two different ASAs without as inspection policy, and in inline fail-open mode. A reboot did solve the problem but I haven't found the reason for the failure, nor a non disruptive solution.

Hi all.

Danilo Molini — Fri, 13 Nov 2015 09:28:05 GMT

Hi all.

I've also had this problem with archive inspection (bug id CSCut39253) and I solved it upgrading both sfr and firesight management center with latest release (5.4.0.4 for sfr and 5.4.1.3 for firesight management center). Upgrading only sfr to latest release didn't solve the problem for me.

After this upgrade, I enabled archive inspection and no other hang happened on our sistems (6 sfr module)

Danilo

What version of ASA, SFR and

Danilo Molini — Fri, 13 Nov 2015 09:30:57 GMT

What version of ASA, SFR and DC do you use?

ASA: 9.4(1)

CRadoumis — Fri, 13 Nov 2015 19:05:36 GMT

ASA: 9.4(1)

sfr: 5.4.0.2-33

DC: 5.4.1.1