Solved: Re: ASA 5508 Firepower Traffic performance degradation!

Imma · ‎06-04-2020

Hi all,

May anyone advice me related the below problem:

I have an ASA 5508 with firepower service (on ASDM). All was up and running fine. After I created an Intrusion rule, the internet service become slow and the network experienced timeouts.

I cleared the rule. But nothing changed.

I think there is a cache somewhere in the firepower module, but I haven't find any option to clear it.

Any idea, please?

Thank you in advanced,

Denisa

Sheraz.Salim · ‎06-04-2020

In that case you have only few option left.

1. shutdown the SFR module and monitor the traffic.

2.instead of ALLOW change it to TRUST. again monitor the traffic on the ASA.

3. check the show conn all./show service-policy sfr

or

class-map SFR-CLASS
match access-list SFR
!
access-list SFR line 1 extended permit ip any any
!
policy-map global_policy
class SFR-CLASS

now here you can define a rule to deny the interested traffic in order for not to go at SFR sensor. for example
access-list SFR extended deny "denied traffic"
access-list SFR line 1 extended permit ip any any

please do not forget to rate.

View solution in original post

Sheraz.Salim · ‎06-04-2020

Do you managed you SFR module on FMC? can you revert back to balanced security over Connectivity. Is this a production firewall?

make sure your policies are pushed to the SFR sensor.

please do not forget to rate.

Imma · ‎06-04-2020

Hello,

no I do not manage Firepower through FMC. Yes the FW is in production. I deleted all the rules. and saved changes. but the network is still in a mess situation.

Thank you,

Denisa

Marvin Rhoads · ‎06-04-2020

Did you re-deploy after clearing the rule?

Once you've deployed with the change completely removed, there should be nothing "cached" from the suspect configuration.

Imma · ‎06-04-2020

yes, I did. Cleared the rule, save changes, deploy.

Do you think a reload of the srf module would solve the problem?

Sheraz.Salim · ‎06-04-2020

reload of the SFR module is not going to fix this issue. also could you confirm if this ASA is in HA pair. if so doing the reboot/reload of the SFR module will trigger a failover to other unit.

give us more insight what you did and what cause the issue. where were the policy before. how to manage the SFR sensor is it form the ASDM software?

please do not forget to rate.

Imma · ‎06-04-2020

Yes, you are right, the reload did not solve the problem.

No, ASA is not connected in HA failover.

Yes, firepower is managed through ASDM.

There were some Access Control Policy (blocking some url and app), which worked just find.

The problems started when I tried to create a Intrusion Policy.

Then I deleted it (then deploy). The problems still persist.

I have deleted all the rules in Firepower now. And I am stuck, do not know what else to check.

Thank you,

Denisa

Sheraz.Salim · ‎06-04-2020

In that case you have only few option left.

1. shutdown the SFR module and monitor the traffic.

2.instead of ALLOW change it to TRUST. again monitor the traffic on the ASA.

3. check the show conn all./show service-policy sfr

or

class-map SFR-CLASS
match access-list SFR
!
access-list SFR line 1 extended permit ip any any
!
policy-map global_policy
class SFR-CLASS

now here you can define a rule to deny the interested traffic in order for not to go at SFR sensor. for example
access-list SFR extended deny "denied traffic"
access-list SFR line 1 extended permit ip any any

please do not forget to rate.

Imma · ‎06-04-2020

Done as below:

# sw-module module sfr shutdown noconfirm
Shutdown issued for module sfr.

# show module sfr details
Getting details from the Service Module, please wait...
Unable to read details from module sfr

Card Type: FirePOWER Services Software Module
Model: ASA5508
Hardware version: N/A
Serial Number: xxxxxxxxxxx
Firmware version: N/A
Software version: 6.2.2-81
MAC Address Range: xxxx.xxxx.xxxx to xxxx.xxxx.xxxx
App. name: ASA FirePOWER
App. Status: Not Applicable
App. Status Desc: Not Applicable
App. version: 6.2.2-81
Data Plane Status: Not Applicable
Console session: Ready
Status: Shutting Down

ciscoasa(config)#access-list sfr_redirect extended permit ip any any
ciscoasa(config)# class-map sfr
ciscoasa(config-cmap)# match access-list sfr_redirect
ciscoasa(config)# policy-map global_policy
ciscoasa(config-pmap)# class sfr
ciscoasa(config-pmap-c)# sfr fail-open

# show service-policy sfr

Global policy:
Service-policy: global_policy
Class-map: global-class
SFR: card status Not Applicable, mode fail-open
packet input 458676, packet output 458678, drop 1641, reset-drop 0
Class-map: sfr
SFR: card status Not Applicable, mode fail-open
packet input 0, packet output 0, drop 0, reset-drop 0

# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list sfr_redirect; 1 elements; name hash: 0x41ab5d0f
access-list sfr_redirect line 1 extended permit ip any any (hitcnt=0) 0x06d5ebec

Should I remove the access list that redirect the trafic to sfr?

Thank you,

Denisa

Imma · ‎06-09-2020

After following the advised steps I realised that the problem were not generated from sfr module.
Thank you.

BR,
Denisa