A quick fix is to create a

Eby Mani · ‎12-25-2014

I'm evaluating ASA5500-X with FirePower bundle with Eval licenses.

I'm facing 2 issues with FSMC,

1, FSMC show 2 critical health errors for SFR & Sourcefire3D related to time synchronisation. - Module Time Sync is out.

2, Nothing is displayed in "Connection Status" and policies are not getting applied. However the top Applications & Operating Systems are displayed in Dashboard !!!!.

on ASA i've tried with the following and monitor-only modes.

policy-map global_policy
 class class-default
  sfr fail-open

on FSMC, Zones are configured. And called in Access Control Policy.

FSMC Health Monitor says:

SFR
Module Time Synchronization: "device" is out-of-sync.
Module Traffic status: Interface 'DataPlaneInterface0' is not receiving any packets.

Strange thing is on the ASA,

internal-Control0/0, Internal-Data0/0, Internal-Data0/1, Internal-Data0/2 interfaces and line protocols are up and sending/receiving packets with no errors or drops !!!.

Does the inside zone need to be on interface other than g0/0 or the interface names(ASA & FSMC) should match ?.

Thanks.

BEHowardGRDA · ‎02-11-2015

Did you ever find a solution to this issue?

Eby Mani · ‎02-24-2015

Problem was with the FSMC license !!!.

TechDude · ‎03-11-2015

Two Items:

1.) Control Licenses: These are provided by CGL (Cisco Global Licensing)

2.) Global Policy setting that says Any Traffic, and enable Sourcefire under the service Policy

CopperBlue68 · ‎03-17-2015

Could you specify the exact config lines you used in the Global Policy please? Is the name of the class important?

Presumably there's no difference whether the ASA is running in Transparent mode or not?

Thanks.

balamuruganmanavalan · ‎05-11-2015

Folks,

I too observed same error messages in Fire SIGHT health status and found that the policy map configuration not applied in service policy globally.

Post that it starts working.

"Interface 'DataPlaneInterface0' is not receiving any packets" - Means that the traffic which hits ASA is not redirected to security module for inspection.

Keep post your queries.

deyster94 · ‎05-22-2015

If you have two ASA's in A/S, the standby ASA's FirePower unit will show a health error that it's not receiving any traffic. This is normal as the standby ASA won't receive any traffic.

I had an issue with time sync yesterday at a client. The clock was right on FireSight and both FirePower's, but it showed the time sync error. It took about 10-15 minutes, but it worked itself out. This happened after I upgraded FireSight to 5.4.1.1

sistematico · ‎09-05-2015

I have the same scenario, 2 ASA 5525-X in HA, how did you guys manage to configure the failover for the FirePower?, is it posible or you just configure the same thing in both including the IP address?

TechDude · ‎09-05-2015

Remember Firepower/Sourcefire within the ASA is just like the IPS modules, so theres no real load balancing, its just a policy. Each unit should have its own policy and if you split contexts up same concept, as with any traffic coming in on contexts will be serviced.

deyster94 · ‎09-06-2015

It would be nice if there was a way to suppress the health alert for an HA pair for the standby unit. Every time I set one up, I have to tell my client that this alert is a false positive.

TechDude · ‎09-06-2015

If you have an HA Pair then you should split contexts up somehow so that you take advantage of the pair at all times vs just during a failover.

The other option is to create a policy that looks at the management interface and monitors it, then some form of traffic is still going.

This error annoyed me as well, but I use the 5585-SSP60s so naturally you split contexts up

Collin Clark · ‎11-01-2016

A quick fix is to create a second health policy and turn off Interface Status. Then apply this new health policy to only the failover ASA.

HTH

balamuruganmanavalan · ‎09-05-2015

Hi,

Firepower is installed in SSD. So it is like Cisco legacy SSM. There is HA concept in between two FirePower. Configure as 2 standalone. Whenever primary fw goes down, traffic will process through secondary. Like wise second FirePower will process the traffic.

huucuonghumg · ‎05-06-2016

Hi,

I have same problem with firesihgt cannot show any traffic. URL filtering:no and Malware: no.

anyone can tell me!

show service-policy sfr

Global policy:
Service-policy: my-sfr-policy
Class-map: my-sfr-class
SFR: card status Up, mode fail-open
packet input 0, packet output 0, drop 0, reset-drop 0
Class-map: my-sfr-class2
SFR: card status Up, mode fail-open
packet input 0, packet output 0, drop 0, reset-drop 0

Aastha Bhardwaj · ‎05-06-2016

Hi ,

Do you have ASA failover setup because dataplane not receiving any traffic on standby unit is expected .

Also you have 2 class-maps for SFR you might need to remove one and make sure its binded to the global_policy.

Check link : http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/firewall/asa-firewall-cli/modules-sfr.html

Regards,

Aastha Bhardwaj

Rate if that helps!!!

ASA+FirePower Bundle - policies not getting applied - Interface 'DataPlaneInterface0' is not receiving any packets.