https://community.cisco.com/t5/network-security/firepower-add-latency-without-any-visible-reason/m-p/4292493#M1078514 <P>After upgrade FP and except many traffic from it, we have no problem.</P> Tue, 16 Feb 2021 15:51:17 GMT Oleg Volkov 2021-02-16T15:51:17Z https://community.cisco.com/t5/network-security/firepower-add-latency-without-any-visible-reason/m-p/3909627#M939475 <P>Hello!</P><P>I have ASA with FirePOWER (no AMP and URL). And have many (over 10) zones.</P><P>yesterday my SIP server sometimes &nbsp;loss registration and vice also have poor quality.</P><P>I try to PING 8.8.8.8 and get floating delay from 25 to 500! ms.</P><P>i exclude sip server traffic from FirePOWER module and get delay about 23-25 ms.</P><P>I change active ASA (also with FirePOWER) and first time after, delay was be normal, but not long time. How I can understand what traffic make FirePOWER unusable?</P><P>PS:</P><P>I do not have high traffic, but have many connection from outside to my WEB (https) server.</P> Fri, 21 Feb 2020 17:24:50 GMT https://community.cisco.com/t5/network-security/firepower-add-latency-without-any-visible-reason/m-p/3909627#M939475 Oleg Volkov 2020-02-21T17:24:50Z https://community.cisco.com/t5/network-security/firepower-add-latency-without-any-visible-reason/m-p/3909775#M939476 <P>What version are you running? There is a bug with 6.3 that can affect observed icmp latencies.</P> <P><A href="https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvo80715/?reffering_site=dumpcr" target="_blank">https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvo80715</A></P> Sun, 18 Aug 2019 05:23:50 GMT https://community.cisco.com/t5/network-security/firepower-add-latency-without-any-visible-reason/m-p/3909775#M939476 Marvin Rhoads 2019-08-18T05:23:50Z https://community.cisco.com/t5/network-security/firepower-add-latency-without-any-visible-reason/m-p/3909782#M939477 <P>Hi.</P><P>6.3 and now 6.3.13.</P><P>I have delay not only ICMP. SIP and DNS also delayed.</P><P>In bug reference I see workaround - disable hardware ssl acceleration but I do not use decryption.</P><P>What method of diagnostic you can recommended in case like this?</P><P>Thank you!</P> Sun, 18 Aug 2019 07:40:15 GMT https://community.cisco.com/t5/network-security/firepower-add-latency-without-any-visible-reason/m-p/3909782#M939477 Oleg Volkov 2019-08-18T07:40:15Z https://community.cisco.com/t5/network-security/firepower-add-latency-without-any-visible-reason/m-p/3909803#M939478 <P>They turned on "enable by default" behavior in 6.3. That has an unanticipated negative impact - even though you are not using the feature.</P> <P>The BugID only indicates icmp traffic is affected by the bug; but it may be that they didn't get any user reports of SIP and DNS traffic from users and thus haven't noted those are affected.</P> <P>You can do ahead and disable it from the cli (reboot required for it to take effect).</P> <P>And - yes - it is configured from the cli. It's one of the few features that is done that way with FTD.</P> Sun, 18 Aug 2019 10:44:58 GMT https://community.cisco.com/t5/network-security/firepower-add-latency-without-any-visible-reason/m-p/3909803#M939478 Marvin Rhoads 2019-08-18T10:44:58Z https://community.cisco.com/t5/network-security/firepower-add-latency-without-any-visible-reason/m-p/3909812#M939479 <P>Sorry I provide wrong version:</P><P>&nbsp;</P><P>ZES-ASA01/pri/act# sh module sfr</P><P>Mod Card Type Model Serial No.<BR />---- -------------------------------------------- ------------------ -----------<BR />sfr FirePOWER Services Software Module ASA5515 FCH18217YHB</P><P>Mod MAC Address Range Hw Version Fw Version Sw Version<BR />---- --------------------------------- ------------ ------------ ---------------<BR />sfr f40f.1b76.d347 to f40f.1b76.d347 N/A N/A 6.2.3.13-53</P><P>Mod SSM Application Name Status SSM Application Version<BR />---- ------------------------------ ---------------- --------------------------<BR />sfr ASA FirePOWER Up 6.2.3.13-53</P><P>Mod Status Data Plane Status Compatibility<BR />---- ------------------ --------------------- -------------<BR />sfr Up Up</P><P>And I think workaround is not applicable for me, sfr module not accepted commands:</P><P><SPAN class=""><SPAN class="highlight begin selected">system support </SPAN></SPAN><SPAN class="highlight middle selected">ssl</SPAN><SPAN class="highlight middle selected">-</SPAN><SPAN class="highlight middle selected">hw</SPAN><SPAN class="highlight middle selected">-</SPAN><SPAN class=""><SPAN class="highlight end selected">offload disable</SPAN></SPAN><SPAN>FTD</SPAN></P><P><SPAN>system support ssl</SPAN><SPAN>-</SPAN><SPAN>hw</SPAN><SPAN>-</SPAN><SPAN>force</SPAN><SPAN>-</SPAN><SPAN>offload</SPAN><SPAN>-</SPAN><SPAN>disable</SPAN></P> Sun, 18 Aug 2019 12:31:07 GMT https://community.cisco.com/t5/network-security/firepower-add-latency-without-any-visible-reason/m-p/3909812#M939479 Oleg Volkov 2019-08-18T12:31:07Z https://community.cisco.com/t5/network-security/firepower-add-latency-without-any-visible-reason/m-p/3909814#M939480 <P>Ah correct - sorry that command is for FTD only. You did say you are using ASA with Firepower service module.</P> <P>Are you inspecting icmp, sip and dns in your ASA config? What is the ASA version (not Firepower version)?</P> Sun, 18 Aug 2019 12:36:48 GMT https://community.cisco.com/t5/network-security/firepower-add-latency-without-any-visible-reason/m-p/3909814#M939480 Marvin Rhoads 2019-08-18T12:36:48Z https://community.cisco.com/t5/network-security/firepower-add-latency-without-any-visible-reason/m-p/3909816#M939481 <P>Cisco Adaptive Security Appliance Software Version 9.6(4)3</P><P>policy-map global_policy<BR />class inspection_default<BR />inspect ftp<BR />inspect h323 h225<BR />inspect h323 ras<BR />inspect rsh<BR />inspect rtsp<BR />inspect sqlnet<BR />inspect skinny<BR />inspect sunrpc<BR />inspect xdmcp<BR />inspect sip<BR />inspect netbios<BR />inspect tftp<BR />inspect ip-options<BR />inspect icmp<BR />inspect pptp<BR />inspect icmp error<BR />class IPS-CM<BR />sfr fail-open</P> Sun, 18 Aug 2019 12:46:46 GMT https://community.cisco.com/t5/network-security/firepower-add-latency-without-any-visible-reason/m-p/3909816#M939481 Oleg Volkov 2019-08-18T12:46:46Z https://community.cisco.com/t5/network-security/firepower-add-latency-without-any-visible-reason/m-p/3910043#M939482 <P>Everything appears in order with your config.</P> <P>I'd suggest opening a TAC case for a more detailed look in real time.</P> Mon, 19 Aug 2019 08:43:23 GMT https://community.cisco.com/t5/network-security/firepower-add-latency-without-any-visible-reason/m-p/3910043#M939482 Marvin Rhoads 2019-08-19T08:43:23Z https://community.cisco.com/t5/network-security/firepower-add-latency-without-any-visible-reason/m-p/4006265#M939483 <P>Did we have a resolution to this? Oleg were you able to resolve this with TAC?</P> Fri, 03 Jan 2020 21:40:48 GMT https://community.cisco.com/t5/network-security/firepower-add-latency-without-any-visible-reason/m-p/4006265#M939483 irshad.hirani 2020-01-03T21:40:48Z https://community.cisco.com/t5/network-security/firepower-add-latency-without-any-visible-reason/m-p/4006272#M939484 No, we except part of traffic from FP and now latency is acceptable. Fri, 03 Jan 2020 21:47:46 GMT https://community.cisco.com/t5/network-security/firepower-add-latency-without-any-visible-reason/m-p/4006272#M939484 Oleg Volkov 2020-01-03T21:47:46Z https://community.cisco.com/t5/network-security/firepower-add-latency-without-any-visible-reason/m-p/4292322#M1078507 <P>We have the same Problem with 6.6.1-91 and ASA 5555x any new ideas?</P><P>&nbsp;</P> Tue, 16 Feb 2021 11:35:17 GMT https://community.cisco.com/t5/network-security/firepower-add-latency-without-any-visible-reason/m-p/4292322#M1078507 BURKHARD LANDWEHR 2021-02-16T11:35:17Z https://community.cisco.com/t5/network-security/firepower-add-latency-without-any-visible-reason/m-p/4292493#M1078514 <P>After upgrade FP and except many traffic from it, we have no problem.</P> Tue, 16 Feb 2021 15:51:17 GMT https://community.cisco.com/t5/network-security/firepower-add-latency-without-any-visible-reason/m-p/4292493#M1078514 Oleg Volkov 2021-02-16T15:51:17Z