Phaneath,

phaneathcisco · ‎08-12-2016

Hello,

I have deployed FireSight about 4 or 5 months and it's working as normal. But I got a problem on 7AM 12-Aug (ICT +7) that all traffic have been blocked when go through SFR module. When I removed the sfr configuration the traffic is working as normal.

!

class sfr

sfr fail-close

!

Anyone know or have any advise on this problem?

Thanks!

Phaneath

james7977 · ‎08-13-2016

Strange, I had same thing happen around 6:20AM EST 8/12 about 10 minutes after receiving update. It was an older install I did for a customer that was still running 5.3 and ASA was running 9.4(2). I upgraded to latest code for 5.3 and rebooted both ASA's with no luck. It was set to fail open but didn't work until I put it in demo mode. Next step is to either upgrade ASA or open a TAC case. Sounds like a bug.

Aastha Bhardwaj · ‎08-15-2016

Hi ,

I would advise you to open up a TAC case because we would need to analyze the Troubleshoot file and provide more input to what could have happened ? We have bugs which may lead to snort to a deadlock state thus dropping all the traffic . But more analysis can confirm that .

Regards,

Aastha Bhardwaj

Rate if that helps!!!

phaneathcisco · ‎08-15-2016

Thanks Aastha, I already opened TAC case.

Regards,

Phaneath

james7977 · ‎08-15-2016

So my issue seems to be resolved. Not sure if it was the upgrade, or the snort rule update that occurred the following morning. Maybe a combination of the two? The timing matches up to when it stopped and started working which both were within 10-20 minutes of that process occurring. Roughly long enough for rule update to install and redeploy the IPS policies.

Here is the update that I think broke it.

Snort Rule Update 2016 08 11 002 vrt

Completed install of Snort Rule Update 2016-08-11-002-vrt

It started working about 10 minutes after this update was applied. Magic? =)

Snort Rule Update 2016 08 12 001 vrt

Completed install of Snort Rule Update 2016-08-12-001-vrt

phaneathcisco · ‎08-17-2016

Hi James,

Thanks you! It's working now. Anyway, customer still needs to know the root cause. Do you have any idea brother?

Regards,

Phaneath

james7977 · ‎08-17-2016

No, sorry. I didn't open a TAC case. Just seemed like a lot of work to have them come back and tell me, yeah its a bug, upgrade. =) It would have been nice to know but I'm trying to get them off 5.3 anyway.

Jetsy Mathew · ‎08-18-2016

Hello Team,

Have you faced any access control failure during this time ? Last week we had a known issue reported due to the Sourcefire Rule Update 2016-08-11-002 update . The issue has been resolved with the latest update which is 2016-08-12-001 . With the troubleshoot file only we can say if this is due to this issue or not.

Rate and mark correct if the post helps you.

Regards

Jetsy

phaneathcisco · ‎08-15-2016

Thanks James, I'm already opened TAC case.

Reguards,

Phaneath

Edwin Matos · ‎08-25-2016

Phaneath,

!

class sfr

sfr fail-close

!

This is the normal behavior for sfr fail-close when the module becomes un-responsive probably because an rule upgrade, then the traffic will be blocked. If possible I would select fail-open and let you alerts about the updates. I have seem this getting stuck when an upgrade failed.

Block all traffic that go through SFR module