Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2465
Views
5
Helpful
8
Replies

ASA Firepower getting ignored

Infuscomus
Level 1
Level 1

‎10-12-2020 01:52 AM

After receiving some user reports, apparently all Firepower rules are getting ignored in my ASA-5508X.

I was unable to find what is wrong.

Nothing related to Firepower was recently modified. 

The SFR policy is the same and enabled. It matches all LAN segments towards any IP.

But Access Control Policy seems to be completely ignored/bypassed.

Using the packet tracer shows that any IP that suppose to be blocked in the ACP goes through without any problem.

 

How can I properly identify the problem ?

 

0 Helpful
8 Replies 8

Marius Gunnerud
VIP
VIP

‎10-12-2020 02:19 AM

Well, packet tracer will only provide the result of the ASA verdict of the traffic and does not include what Firepower will do to the traffic.  If you jump to the Firepower CLI and issue the command system support diagnostic-cli, enter the client IP and leave everything else blank, and then run a test.  What rule are you hitting.  If you se no traffic at all, then traffic is not being redirected to Firepower.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Infuscomus
Level 1
Level 1

‎10-12-2020 02:25 AM

Update:

Apparently this is a problem with some objects suddenly missing from the main network objects group.

This is fixable, so it was not a serious issue.

0 Helpful

Marius Gunnerud
VIP
VIP
In response to Infuscomus

‎10-12-2020 02:41 AM

Objects that suddenly go missing should not happen.  If this continues, I suggest opening a TAC case as this sounds a lot like a bug.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Aref Alsouqi
VIP
VIP

‎10-12-2020 02:33 AM

I think Marius meant to say system support firewall-engine-debug command to capture the traffic subnet to the ACP. Check if snort is engine is running, if not, try to restart it with the command pmtool restartbytype snort.

Marius Gunnerud
VIP
VIP
In response to Aref Alsouqi

‎10-12-2020 02:40 AM

D'OH!  Correct Aref, I meant firewall-engine-debug.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Infuscomus
Level 1
Level 1
In response to Marius Gunnerud

‎10-12-2020 04:10 AM

Thanks for the feedback.

The last serious problem I encountered was licenses suddenly not correctly detected witch of course caused lack of certain licensed functionality.

I will follow closely to see if similar anomalies occur.

 

0 Helpful

Aref Alsouqi
VIP
VIP
In response to Infuscomus

‎10-12-2020 06:35 AM - edited ‎10-12-2020 06:35 AM

What version of ASA/SFR are you running?

0 Helpful

Infuscomus
Level 1
Level 1
In response to Aref Alsouqi

‎10-13-2020 03:24 AM

Cisco Adaptive Security Appliance Software Version 9.8(2)
Firepower Extensible Operating System Version 2.2(2.52)
Device Manager Version 7.13(1)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card