topic Right after posting I came in Network Security

Firepower Blocking Traffic Randomly ?

darreng — Sun, 10 Mar 2019 13:41:50 GMT

Hi All,

I am running a ASA5525X Active / Standby pair of Firewalls with FIrewpower 6.0.1.1. Recently I have experienced an issue where at random intervals the active Firewall seems to stop passing traffic. When the problem occurs we know that:

The Firewall Inside interface is accessible from a host on the inside

I can VPN into the outside interface (and strangely authenticate to my AD Server on the inside)

I cannot ping any hosts on the inside via my VPN connection even though the VPN has authenticated

If I fail over the Firewall to the secondary it begins to work once again e.g. pings etc are fine

Minutes ago the issue re-occurred and failing back from the Secondary (Active) to the Primary (Backup) once again resolved the issue. We believe that have ruled out the internal network via various tests / log checks etc. We haven't ruled out that the IPS.

My plan was to disable the IPS when the error next occurred to prove or disprove my theory. Unfortunately another Engineer beat me to it and failed over the Firewalls before I could check so I'm again scratching my head as to how to prove it is / isn't Firepower related. My question is simple:

1) Has anyone experienced this on Firewpower

2) I understand I can send the logs off the Sourcefire IPS to a SFTP server for inspection. Are there any other useful troubleshooting tips / links anyone has to allow me to investigate this from the Sourcefire CLI

I'm currently going through the Sourcefire Management Console session events to try to determine the series of events but I'm working on the fact logging on the Firewpower module will offer me more detail.

Regards

Darren

Right after posting I came

darreng — Sat, 15 Oct 2016 19:58:40 GMT

Right after posting I came across the following URL which has proved useful.

http://www.cisco.com/c/en/us/support/docs/security/sourcefire-defense-center/117663-technote-SourceFire-00.html

I have a reasonably accurate time of when traffic seems to have stopped flowing. Would anyone be able to guide me on which log files may prove most useful to inspect.

Regards

Darren

Maybe you are hitting the

Massimo Baschieri — Sun, 16 Oct 2016 06:48:24 GMT

Maybe you are hitting the following bug:

CSCup37416

Hi Massimo,

darreng — Sun, 16 Oct 2016 07:16:23 GMT

Hi Massimo,

Thank you for your kind response.

The issue isn't just related to VPN's. When the error occurs normal traffic such as outbound WWW or HTTPS cannot pass from inside to outside. I also loose email until I fail over the Firewalls and then everything appears to come back.

i have a router on an inside interface that uses a DMVPN to a remote site. The GRE tunnel and EIGRP relationship break also.

regards

Darren