topic A quick fix is to create a in Network Security

ASA+FirePower Bundle - policies not getting applied - Interface 'DataPlaneInterface0' is not receiving any packets.

Eby Mani — Tue, 12 Mar 2019 12:36:33 GMT

I'm evaluating ASA5500-X with FirePower bundle with Eval licenses.

I'm facing 2 issues with FSMC,

1, FSMC show 2 critical health errors for SFR & Sourcefire3D related to time synchronisation. - Module Time Sync is out.

2, Nothing is displayed in "Connection Status" and policies are not getting applied. However the top Applications & Operating Systems are displayed in Dashboard !!!!.

on ASA i've tried with the following and monitor-only modes.

policy-map global_policy
 class class-default
  sfr fail-open

on FSMC, Zones are configured. And called in Access Control Policy.

FSMC Health Monitor says:

SFR
Module Time Synchronization: "device" is out-of-sync.
Module Traffic status: Interface 'DataPlaneInterface0' is not receiving any packets.

Strange thing is on the ASA,

internal-Control0/0, Internal-Data0/0, Internal-Data0/1, Internal-Data0/2 interfaces and line protocols are up and sending/receiving packets with no errors or drops !!!.

Does the inside zone need to be on interface other than g0/0 or the interface names(ASA & FSMC) should match ?.

Thanks.

Did you ever find a solution

BEHowardGRDA — Wed, 11 Feb 2015 22:14:08 GMT

Did you ever find a solution to this issue?

Problem was with the FSMC

Eby Mani — Wed, 25 Feb 2015 05:31:47 GMT

Problem was with the FSMC license !!!.

Two Items:1.) Control

TechDude — Wed, 11 Mar 2015 12:31:15 GMT

Two Items:

1.) Control Licenses: These are provided by CGL (Cisco Global Licensing)

2.) Global Policy setting that says Any Traffic, and enable Sourcefire under the service Policy

Could you specify the exact

CopperBlue68 — Tue, 17 Mar 2015 10:11:18 GMT

Could you specify the exact config lines you used in the Global Policy please? Is the name of the class important?

Presumably there's no difference whether the ASA is running in Transparent mode or not?

Thanks.

I have a similiar problem too

jai_chandra2001 — Mon, 27 Apr 2015 21:29:13 GMT

I have a similiar problem too..in Active/Standby deployment, the secondary ASA's SFR module is throwing the same error.

"Interface 'DataPlaneInterface0' is not receiving any packets"

I have all licenses installed and it was working until a week ago(upgrade to 5.4 recently)

Folks,I too observed same

balamuruganmanavalan — Mon, 11 May 2015 14:24:05 GMT

Folks,

I too observed same error messages in Fire SIGHT health status and found that the policy map configuration not applied in service policy globally.

Post that it starts working.

"Interface 'DataPlaneInterface0' is not receiving any packets" - Means that the traffic which hits ASA is not redirected to security module for inspection.

Keep post your queries.

In ASA HA deployment A/S,

Pavel Trinos — Wed, 20 May 2015 20:04:58 GMT

In ASA HA deployment A/S, standby unit does not see traffic by default, that is why you are getting that DPI0 error.

If you have two ASA's in A/S,

deyster94 — Fri, 22 May 2015 13:53:53 GMT

If you have two ASA's in A/S, the standby ASA's FirePower unit will show a health error that it's not receiving any traffic. This is normal as the standby ASA won't receive any traffic.

I had an issue with time sync yesterday at a client. The clock was right on FireSight and both FirePower's, but it showed the time sync error. It took about 10-15 minutes, but it worked itself out. This happened after I upgraded FireSight to 5.4.1.1

I have the same scenario, 2

sistematico — Sat, 05 Sep 2015 18:11:15 GMT

I have the same scenario, 2 ASA 5525-X in HA, how did you guys manage to configure the failover for the FirePower?, is it posible or you just configure the same thing in both including the IP address?

Remember Firepower/Sourcefire

TechDude — Sat, 05 Sep 2015 18:23:08 GMT

Remember Firepower/Sourcefire within the ASA is just like the IPS modules, so theres no real load balancing, its just a policy. Each unit should have its own policy and if you split contexts up same concept, as with any traffic coming in on contexts will be serviced.

Hi,Firepower is installed in

balamuruganmanavalan — Sat, 05 Sep 2015 18:57:04 GMT

Hi,

Firepower is installed in SSD. So it is like Cisco legacy SSM. There is HA concept in between two FirePower. Configure as 2 standalone. Whenever primary fw goes down, traffic will process through secondary. Like wise second FirePower will process the traffic.

It would be nice if there was

deyster94 — Sun, 06 Sep 2015 13:46:36 GMT

It would be nice if there was a way to suppress the health alert for an HA pair for the standby unit. Every time I set one up, I have to tell my client that this alert is a false positive.

If you have an HA Pair then

TechDude — Sun, 06 Sep 2015 14:03:37 GMT

If you have an HA Pair then you should split contexts up somehow so that you take advantage of the pair at all times vs just during a failover.

The other option is to create a policy that looks at the management interface and monitors it, then some form of traffic is still going.

This error annoyed me as well, but I use the 5585-SSP60s so naturally you split contexts up

Hi,

huucuonghumg — Fri, 06 May 2016 10:22:54 GMT

Hi,

I have same problem with firesihgt cannot show any traffic. URL filtering:no and Malware: no.

anyone can tell me!

show service-policy sfr

Global policy:
Service-policy: my-sfr-policy
Class-map: my-sfr-class
SFR: card status Up, mode fail-open
packet input 0, packet output 0, drop 0, reset-drop 0
Class-map: my-sfr-class2
SFR: card status Up, mode fail-open
packet input 0, packet output 0, drop 0, reset-drop 0

Hi ,

Aastha Bhardwaj — Fri, 06 May 2016 13:17:37 GMT

Hi ,

Do you have ASA failover setup because dataplane not receiving any traffic on standby unit is expected .

Also you have 2 class-maps for SFR you might need to remove one and make sure its binded to the global_policy.

Check link : http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/firewall/asa-firewall-cli/modules-sfr.html

Regards,

Aastha Bhardwaj

Rate if that helps!!!

Hi everybne!

huucuonghumg — Wed, 18 May 2016 01:38:50 GMT

Hi everyone!

when I try convert from route mode to firewall transparent mode, I can show traffic but still error witch "show service-policy sfr" command:

show service-policy sfr

Service-policy: global_policy
Class-map: sfr
SFR: card status Up, mode fail-open monitor-only
packet input 0, packet output 0, drop 0, reset-drop

normal packet input 0 or packet output 0 not is zero

Everyone can tell me why and how can solved it?

I should using firewall transparent mode or route mode?

Thankyou very much!

A quick fix is to create a

Collin Clark — Tue, 01 Nov 2016 21:43:44 GMT

A quick fix is to create a second health policy and turn off Interface Status. Then apply this new health policy to only the failover ASA.

HTH