any client connection limit from LAN to WAN on Firepower 5508-x base license?

riderfaiz · ‎11-20-2018

Hi everyone,

Hope you can help. I have been on this issue for 3 weeks with two diff Cisco tech support but have no progress. We just got this Firepower 5508-x with base license only back in a month ago.

In short, right now, from the lan 192.168.0.0/16 are connected with 100 hosts. the lan interface on the firepower is 192.168.101.110. Any traffic for the server 172.20.0.54 in another network will be routed from the Firepower to an interface of another ASA firewall which is 192.168.200.1 /16, which is same network as the lan interface on the Firepower).

Once the Firepower in place...it create a lot of trouble... Again.. in short, but now the problem remain is the 10 connection issue...meaning only 10 clients on the LAN on the Firepower can connect to the server 172.20.0.54, and again that server is behind another firewall.

With the Firepower shut down, and the older router backup, everything resume working. But once the Firepower is up to replace the old router, only 10 connections can be made.

Show conn on the firepower seems to be fine...but on the server we can only see 10 connections.. The tech support I worked still think of other cause but not license. But to me the number" 10" is kind of "special" to make me think it must be something causing 10 only... but no1 j6 or 12 or 16...

Any thoughts on this? I am totally stuck...hope you can help. Thank you in advance.

Takami Chiro

Marvin Rhoads · ‎11-20-2018

Is that an ASA 5508-X running FTD image or with Firepower service module?

There's no connection limit per se but you can run into issues if your network discovery policy is not setup correctly - Firepower can end up trying to discover all of the Internet and run out of new host entries.

riderfaiz · ‎11-20-2018

Hi thx for your response. That is a FTD. Not a module in ASA. That problem really held on my project while a cisco support still cannot resolve the problem after 2 weeks.

Hope u can help. Thank you and happy holidays!

Marvin Rhoads · ‎11-21-2018

Can you share a diagram of the setup? I'm not following how things go in and out. It seems very odd to have separate 192.168.0.0/16 segments.

I'm also wondering what the FTD appliance shows when the traffic for the 11th connection comes into the device.

Is the other ASA a 5505 by chance?

riderfaiz · ‎11-21-2018

HI Marvin,

Good morning!

I have attached my handwritten network diagram and bear with my handwriting :)

Long story but you are right there are multiple gateways there for some reasons. This firewall is a new one for different project by different organizations/agencies to log on...while the other one is for a bridge to our corp network.

The issue is... I did not see any network drops. But from the server side, there are a lot of ARP traffic than usual...based on the server tech support. Also, instead of the connection being established, there are a lot of sync sequence looks like the server attempts to build the connection to those device but not success. Something like blocking it.

Also, may I ask a question.. on the new Firepower, if there is one network that is not an interface on, when there are machines to access to that network or any host in that network, do I still need to setup a access rule for that? Also, how about the NAT?

Thank you very much again.

Takami Chiro

Marvin Rhoads · ‎11-22-2018

There are so many places where this could need attention that it's hard to know where to start.

1. Routing (both directions) should be mapped out carefully since you are using static routes. For instance 172.16.181.0/24 would not be know to the server and would thus try to use the corporate ASA.

2. If there is NAT on the old router, it should also be on the FTD.

3. Since your subnet masks are a bit non-standard, carefully check those.

4. Your server has a host route to 192.168.200.0/24 but that network is actually a /16 per definitions elsewhere in your configs.

That's just off the top of my head....