Solved: After upgrading Snort2 to Snort3 errors popping out and other problems

Herald Sison · ‎11-14-2022

Hi All,

Hope everyone is doing great. I have upgraded my FTD Snort V2 to Snort V3 last weekend and it was successful but i ran into some roadblocks.

Here are the list of problems encountered below:

1) Error pops out that AMP cannot connect to cloud

2) tried downloading new updates but cannot connect to cloud

3) tried syncing FMC license to support site but cannot connect to cloud

4) Users that are NOT PART of URL filtering exemptions ACP cannot connect to the internet, (even a simple opening of google.com is blocked and a blocked message pops up)

5) Only users that are part of the URL filtering exemptions ACP can browse the internet.

i followed some conversation here in the community that suggest to add SSL policy and add my FMC ip address as source and after deploying the changes, all users are now back to normal (they can now access the internet) but the AMP error and all the cannot connect to the cloud errors are still not fixed even after running it all in the System ->Health -> Monitor

My question is if i transfer the arrangement of my ACP rules would that solve the problem?

by the way here is the arrangement of my ACP rules below from top to bottom:

Allow -> domain authenticated users are allowed to access FB and youtube

Allow -> unauthenticated users (mobile devices added via their IP address) are allowed to access FB and youtube

Block -> all users blocked from fb and youtube

Block -> all users blocked from adult sites

Allow - > any any any

so if i move my allow any any policy just right above my first block policy will solve all the cannot connect to cloud errors?

so right now i reverted it back to Snort V2 so that all users can use it and maybe will try to upgrade it back to Snort 3 this coming weekend,

anyone who tried upgrading V2 to V3 snort also experienced this kind of problem and what was your workaround?

here are the details of my device:

FTD 7.0.4

FMC 7.0.4

ASA5508X

thank you so much and more power to you all!

Marvin Rhoads · ‎11-21-2022

My experience more closely matches that of @Milos_Jovanovic

There were some early issues with 7.0.1 and 7.02 and Snort 3 but those are cleared up with 7.0.4 as far as I know.

View solution in original post

Herald Sison · ‎11-19-2022

Hello? Anyone who have tried upgrading to Snort 3 and experienced the same problem?

Milos_Jovanovic · ‎11-20-2022

Hi @Herald Sison,

I did multilpe Snort 2 to Snort 3 upgrades and never faced similar issue. From what you've described, it doesn't sound like an issue that is caussed by Snort upgrade.What version of FMC and FTDs are you running?

There was a Field Notice not so long ago, where Cico warned users that they are replacing certificates used on Cisco portals, which would cause issues with all update services. This sounds more like this than like Snort issue.

Also, in order to exclude Snort as a root cause, you can add FMC to prefilter policy, so it won't go via Snort.

Kind regards,

Milos

Herald Sison · ‎11-24-2022

Hi Sir, this may sound weird but i have upgraded my Snort vesion again last weekend and no errors experienced. This is really weird. i will keep on monitoring this for maybe 2 weeks to see if the error will come out again.

Marvin Rhoads · ‎11-28-2022

Good info to know @Herald Sison - thanks for your update.

Marvin Rhoads · ‎11-21-2022

My experience more closely matches that of @Milos_Jovanovic

There were some early issues with 7.0.1 and 7.02 and Snort 3 but those are cleared up with 7.0.4 as far as I know.

CiscoBrownBelt · ‎07-14-2023

We upgraded to v3 on a device and no longer receive any type of alerts for it. Is there some setting or something that must be enabled?