10-13-2017 03:45 AM - edited 02-21-2020 06:29 AM
Hi firewall lowers,
I have following issue: when deploying policy from FMC ASA firewall module stops data traffic.Version of devices is 6.1.0-330. ASA version is 9.5(1).
Although I have fail-open action under classmap.
policy-map global_policy
description flow_export_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect http
class firepower_class_map
sfr fail-open
class global-class
flow-export event-type all destination 172.30.30.131
class class-default
!
What could be reason or what action must be taken? May be SFR does not know about fail-open option of ASA (honestly,I don't know achitecture, so may be it must be somehow enabled in SFR or via FMC)
thanks in advance,
10-13-2017 04:02 AM
Hi,
Are you blocking traffic somehow within the ACP you have pushed out to the sensor? Or was this working and suddenly traffic just flowing through ASA?
I had an issue within the past few weeks at our DC which sounds similar to yours. Traffic just stopped flowing. I removed the policy map entry for FirePOWER and traffic flowed again.
TAC advised I had hit bug - something related to snort segfaults.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvd55859
Although I see your version is on the "known fixed releases".
I would advise moving to 6.2.2 is possible and maybe log with TAC if your ACP looks OK.
10-13-2017 04:17 AM - edited 10-13-2017 04:18 AM
I have block rules in ACP, btw, problem resolves some time later,it seems this happens due to snort restart (as I understand from cisco docs this is "engine" for forwarding inside SFR). What insterested for me is why module and/or ASA stops traffic while I configured fail-open.
regards,
10-13-2017 04:20 AM
This is why I think it might be a bug.
I also had the sfr fail-open but traffic just stopped completely.
Do you have contract to raise TAC case?
10-13-2017 04:39 AM
Yes, we have.
Additional info: device is 5508 and deployment is router mode,may be this is the cause?
I also searching for answer in docs,because some hours later I saw smth about this.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide