08-12-2016 06:48 PM - edited 03-12-2019 06:06 AM
Hello,
I have deployed FireSight about 4 or 5 months and it's working as normal. But I got a problem on 7AM 12-Aug (ICT +7) that all traffic have been blocked when go through SFR module. When I removed the sfr configuration the traffic is working as normal.
!
class sfr
sfr fail-close
!
Anyone know or have any advise on this problem?
Thanks!
Phaneath
08-13-2016 02:55 PM
Strange, I had same thing happen around 6:20AM EST 8/12 about 10 minutes after receiving update. It was an older install I did for a customer that was still running 5.3 and ASA was running 9.4(2). I upgraded to latest code for 5.3 and rebooted both ASA's with no luck. It was set to fail open but didn't work until I put it in demo mode. Next step is to either upgrade ASA or open a TAC case. Sounds like a bug.
08-15-2016 06:18 AM
Hi ,
I would advise you to open up a TAC case because we would need to analyze the Troubleshoot file and provide more input to what could have happened ? We have bugs which may lead to snort to a deadlock state thus dropping all the traffic . But more analysis can confirm that .
Regards,
Aastha Bhardwaj
Rate if that helps!!!
08-15-2016 06:30 AM
Thanks Aastha, I already opened TAC case.
Regards,
Phaneath
08-15-2016 09:42 AM
So my issue seems to be resolved. Not sure if it was the upgrade, or the snort rule update that occurred the following morning. Maybe a combination of the two? The timing matches up to when it stopped and started working which both were within 10-20 minutes of that process occurring. Roughly long enough for rule update to install and redeploy the IPS policies.
It started working about 10 minutes after this update was applied. Magic? =)
08-17-2016 06:59 AM
Hi James,
Thanks you! It's working now. Anyway, customer still needs to know the root cause. Do you have any idea brother?
Regards,
Phaneath
08-17-2016 07:24 AM
No, sorry. I didn't open a TAC case. Just seemed like a lot of work to have them come back and tell me, yeah its a bug, upgrade. =) It would have been nice to know but I'm trying to get them off 5.3 anyway.
08-18-2016 04:48 AM
Hello Team,
Have you faced any access control failure during this time ? Last week we had a known issue reported due to the Sourcefire Rule Update 2016-08-11-002 update . The issue has been resolved with the latest update which is 2016-08-12-001 . With the troubleshoot file only we can say if this is due to this issue or not.
Rate and mark correct if the post helps you.
Regards
Jetsy
08-15-2016 06:33 AM
Thanks James, I'm already opened TAC case.
Reguards,
Phaneath
08-25-2016 08:33 AM
Phaneath,
!
class sfr
sfr fail-close
!
This is the normal behavior for sfr fail-close when the module becomes un-responsive probably because an rule upgrade, then the traffic will be blocked. If possible I would select fail-open and let you alerts about the updates. I have seem this getting stuck when an upgrade failed.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: