cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1594
Views
0
Helpful
2
Replies

Ask again : span port to ASA 5515-x not working

Hallo

A colleague of mine created a span port and the traffic is sent to my "inside" interface on the  Firewall .

Traffic is recognized at the switch port where the firewall is connected . ( about 45 MB /Sec )

But no traffic passes the Firewall , no traffic comes in

# Show Interface on ASA shows more or less counter 0

# capture on the interface delivers no traffic

The question is if my construction is working . e.g.must the span traffic pass the firewall , must I configure maybe the firewall as transparent etc.

any Idea ?

2 Replies 2

Fergal Meehan
Level 1
Level 1

Hi Alfred,

Did you have any luck with this? I am having the same problem now.

I started out using transparent mode to trial FirePOWER for a customer and came across a known bug [CSCus53126] that inhibits the traffic being sent to the FirePOWER module.

 

So I am now trying to use an already configured mirrored port on the core switch and uplink that to the 5515x ASA and no joy.

 

Fergal

old answer from old cisco ticket , I hope it is helpfull

 

I consulted one of our senior engineers on this issue. His statement is this is a wrong design.
If you want to get this working he mentioned to put this on inline mode, as mirroring would make
Duplicate packets and at some point ASA will see this as spoofed packets.
Reason: if you are mirroring the traffic, this means you have duplicate packets going to the ASA. To get the botnet to work,
This traffic needs to have a destination. So now you have legitimate traffic going out and a duplicate packets (which are mirrored)
Also going out. In return of the packets this will be dropped.


I still have not close the case, as you mentioned at the time the show tec was taken the SPAN configuration
Was not applied. What we saw there were input data as well as output(for the last 5min there was not any).
The ASA will only drop the packet if it’s either


1) Receive a packet on different interface e.g packet exit from OUTSIDE interface and received on the DMZ interface (spoofing)
2) Packet arrives on the INSIDE interface but without any destination, ASA does not have route to the destination


Hence the suggestion to place the ASA on inline mode, so there is only 1 inbound and 1 outbound traffic

 

 

Review Cisco Networking for a $25 gift card