Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
230
Views
0
Helpful
3
Replies

ASA-5515 w/FirePOWER blocking all urls from 1 vlan

samuel.parthemer1
Level 1
Level 1

‎05-17-2017 10:15 AM - edited ‎03-12-2019 02:22 AM

I have a ASA-5515 w/FirePOWER services.

I have a 3750X-switch  with 2 workstations on their own vlan (I'll say vlan666), connected to 3750X-switch, when then connects to the ASA-5515.

The issue is, when I send traffic to the firepower (sfr), the sfr module requests a drop of packets (all packets) from the 2 workstations on vlan666.   I have workstations on the local 3750X, which are on another vlan (I'll say vlan667), and they too get an initial sft module requests a drop of packets, but within a second the sfr module tells the ASA to bypass and not send packets to the sfr, and I can reach the sites from workstations on vlan667.

I have disabled any access control policy blocks on the sfr configuration (Allow all), but I am running Base Policy (Balanced Security and Connectivity)

I am in a closed environment, so I am not able to get whitelists, blacklists, etc, etc.

I am running ASA version 9.7.(1)4,  ASDM  7.7(1), Firepower 6.2.0 (build 362)

 

Labels:
0 Helpful
3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-17-2017 07:26 PM

What does your FMC show for the Block reason under Analysis of Connection Events and Intrusion Events?

0 Helpful

samuel.parthemer1
Level 1
Level 1
In response to Marvin Rhoads

‎05-24-2017 10:21 AM

I am not running FMC, only ASDM w/Firepower.   It appears right now I am having an issue with 6.2.0-362 where the Cisco Network Sensor Upgrade 6.2.0.1 Hotfix A 
Cisco_Network_Sensor_Hotfix_A-6.2.0.1-10.sh or the subsequent install that I did of Firepower Services on ASA - Upgrade only 
Cisco_Network_Sensor_Patch-6.2.0.1-59.sh has left me stuck with an unstable version of 6.2.0-362 as I cannot update policies on the firepower (the deployment fails), nor can I upgrade or downgrade the unit.

I am going to attempt to reinstall 6.2.0-362 again, or just wipe the entire thing and start over, as I didn't have this issue until doing the 6.2.0.1-59 patch.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to samuel.parthemer1

‎05-25-2017 01:01 AM

If you have smartnet support it might be a good idea to open a TAC case for detailed troubleshooting of your specific issue.

I have upgraded a number of devices to 6.2.0.1 patch without issue; so it is certainly possible.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card