Solved: ASA CX flow cache and timeout

tato386 · ‎01-07-2015

I am doing some testing of access and identity policies and need to make sure that when I run a test of changes to the policies that I am seeing accurate results vs. getting inaccurate results due to the ASA still using active flow or cached settings.

What I do now is commit the settings on the CX, close the browser, and then open the browser again. However, I am still using the same IP and going to the same URL to check my results. How can I be sure the new settings are being used?

On a separate note, what is up with CX vs. Firepower? I kind of sense that CX might be on its way out? It's only a couple years old but Firepower seems like a similar product which is getting much more "love" from Cisco than CX.

IMHO Firepower seems like a much more complicated implementation due to its infrastructure needs. For example, there doesn't seem be a single-device mode option in Firepower. I would hate to find out that our investment in CX is a dead end and to make things worse its replacement is more complicated and expensive! Comments?

Rgds,
Diego

Marvin Rhoads · ‎01-07-2015

The ASA will keep connections active according to the timeout settings. If you "clear conn" on the ASA in between tests and force the browser to refresh and not use a cached page (typically Shift-F5), you have a pretty good assurance of getting a "fresh" test result.

Your sense is correct. The CX product is in maintenance mode right now and, although it hasn't been announced end of sales, customers are being encouraged to consider the superior (but - yes - more complicated) Firepower-based options. The Firepower-based solutions are definitely much more powerful though and provide much enhanced security.

You're right that all Firepower-based implementations (even one each) require an "off-box" manager.That's Firesight Management Center (FMC) - formerly Sourcefire Defense Center.

For what it's worth, there are promotional bundles being offered to ease the cost burden of migrating.

View solution in original post

Marvin Rhoads · ‎01-07-2015

The ASA will keep connections active according to the timeout settings. If you "clear conn" on the ASA in between tests and force the browser to refresh and not use a cached page (typically Shift-F5), you have a pretty good assurance of getting a "fresh" test result.

Your sense is correct. The CX product is in maintenance mode right now and, although it hasn't been announced end of sales, customers are being encouraged to consider the superior (but - yes - more complicated) Firepower-based options. The Firepower-based solutions are definitely much more powerful though and provide much enhanced security.

You're right that all Firepower-based implementations (even one each) require an "off-box" manager.That's Firesight Management Center (FMC) - formerly Sourcefire Defense Center.

For what it's worth, there are promotional bundles being offered to ease the cost burden of migrating.

tato386 · ‎01-07-2015

So flows and connections are handled on the ASA side of the box! Wow, that's good to know since I was assuming that once traffic is flowing thru CX that stuff would be handled on CX side. I guess its true what they say about assuming stuff.

We bought 3 CX boxes with 3 year licenses not too long ago. So whatever we learned about CX now goes out the window and we need to re-learn and re-do on Firepower. Not only that but I believe the Firepower stuff requires VMware and of course we are Hyper-V shop. Hard to swallow how Cisco handled this CX thing.

Thanks

Marvin Rhoads · ‎01-07-2015

Well your assumption is kinda sorta true. The CX is keeping a record of TCP connections also. However, when you issue "clear conn" on the ASA it sends a message via the control plane connection to the CX to flush the state of the TCP connections even though neither a TCP FIN nor configured connection timeout value has occurred.

FYI here's where the CX (or FirePOWER Service module for that matter) sits in the flow of ASA packet processing (source Cisco Live presentation BRKSEC-2024 from San Francisco 2014):

tato386 · ‎01-08-2015

That's a mighty handy diagram.

Thank you sir.