topic Hi, in Network Security

Firepower module in 5512-X denying all traffic (failing closed) after 6.0 upgrade

mythosmc1 — Tue, 12 Mar 2019 12:49:40 GMT

Are there any known reasons as to why a firepower module would lock up fail-closed ?

I've seen this happen to both a 5512-X and a 5525-X, the firepower module becomes locked up and the only way to allow traffic is to switch the service policy off in the ASA.

Hi,

Aastha Bhardwaj — Thu, 26 Nov 2015 02:58:25 GMT

Hi,

These are the three modes on which you can set the ASA:

The fail-close keyword sets the ASA to block all traffic if the ASA FirePOWER module is unavailable.
The fail-open keyword sets the ASA to allow all traffic through, uninspected, if the module is unavailable.
Specify monitor-only to send a read-only copy of traffic to the module, i.e. inline tap mode. If you do not include the keyword, the traffic is sent in inline mode. Be sure to configure consistent policies on the ASA and the ASA FirePOWER. See ASA FirePOWER Inline Tap Monitor-Only Mode for more information.

If the firepower module goes down then yes the traffic will be dropped.But when you say locked up what do you exactly mean ?

Check the status of the module by the command : show module sfr detail

Also let me know the version of ASA and SFR .

Regards,

Aastha Bhardwaj

Rate if that helps!!!

This was happening on both 5

mythosmc1 — Thu, 26 Nov 2015 03:53:04 GMT

This was happening on both 5.4.1.1-33 as well as version 6

I am having trouble understanding what you mean with monitor-only mode; Are you recommending me to use that?

I am not entirely sure if the module is locked up, but some event happens and firepower begins to block all outgoing traffic until the service policy is disabled

I have since rebooted the module, so this output is probably useless:

Result of the command: "show module sfr detail"

Getting details from the Service Module, please wait...

Card Type: FirePOWER Services Software Module
Model: ASA5512
Hardware version: N/A
Serial Number: FCH1902JC39
Firmware version: N/A
Software version: 6.0.0-1005
MAC Address Range: b0aa.7796.5920 to b0aa.7796.5920
App. name: ASA FirePOWER
App. Status: Up
App. Status Desc: Normal Operation
App. version: 6.0.0-1005
Data Plane Status: Up
Console session: Ready
Status: Up
DC addr: 172.16.x.zzz
Mgmt IP addr: 172.16.x.xxx
Mgmt Network mask: 255.255.255.0
Mgmt Gateway: 172.16.x.yyy
Mgmt web ports: 443
Mgmt TLS enabled: true

Hi,

Aastha Bhardwaj — Thu, 26 Nov 2015 05:12:55 GMT

Hi,

I would recommend you using fail-open mode so that if the module goes down the traffic still continues to pass. Also check the status of the module when the issue happens before disabling the service-policy.

Also if the status of the module is up , you can check the connection events and see if the trafic is being blocked. Are there of any signs of oversubscription on the module as in do you have a lot of traffic passing through the SFR module.

Regards,

Aastha Bhardwaj

Rate if that helps!!!

After some browsing on here I

mythosmc1 — Thu, 26 Nov 2015 16:37:17 GMT

After some browsing on here I am hoping it has something to do with this bug,

https://tools.cisco.com/bugsearch/bug/CSCut39253/?reffering_site=dumpcr

I have 3 clients with firepower, only one of them is without this issue.. and I beleive the one that doesn't have any issues isnt using AMP/file protection features

This seems like a pretty serious 'bug' is there anywhere I can sign up for bulletins for these types of issues?

Hi,

Aastha Bhardwaj — Tue, 01 Dec 2015 01:29:56 GMT

Hi,

Yes , if on the bug you click on save bug you will get subscribed to it and you will get an option to get notifications based on it on weekly or monthly basis.

Regards,

Aastha Bhardwaj

Rate if that helps!!!

I have this problem too. I

Jarrad Thomas — Fri, 08 Apr 2016 06:30:34 GMT

I have this problem too. I have the service-policy set to fail-open, though it isn't working as expected. The SFR module still states it is up / up and normal operation, however no traffic is passed when inline.

A reboot of the module fixes it temporarily. Or setting the service policy to monitor-only (this resumes traffic flow through the ASA but the firepower module doesn't log any of the traffic)

I can't find any syslogs at the time of the failure. Are there some debugs I can run? It generally lasts between a day and a week before failing again.