Re: Carp multicast traffic not visible in Connection Events on FMCv

BastiiGee · ‎12-14-2022

Hello everyone,
Maybe this is a strange question:
I have a firepower 7115 with inline pair in and out between two non Cisco firewalls which are running carp interfaces.
I have checked the connection events on the FMC but can’t see the multicast carp traffic(heartbeat).
When I make a capture on the firepower I can see the traffic passing through the box as expected. (Source IP Interface of master -> DestIp 224.0.018)
Can someone explain why this traffic isn’t logged by the firepower ?

lciccare · ‎03-14-2023

Good morning @BastiiGee .

Can you please give more details on the topology (what interfaces are connected to what, how they are configured, etc..).

Also, remember that for the traffic to be logged and seen in the connection events, you must enable logging for the specific access control entry.

You can also learn more about Cisco Secure Firewall (formerly known as NGFW) through our live Ask the Experts (ATXs) session. Check out Cisco Network Security ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-network-security-ask-the-experts-resources/ta-p/4416493] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.

BastiiGee · ‎03-14-2023

Good morning @lciccar,

Thank you for your message and your questions on my initial question.
I was able, through some trial and error + reading, to understand why I could not see the muticast traffic.
The logging was activated for that particular traffic. However, on my slightly older Firepower 7115, it only logs at the start or end of a connection but not the constant stream.
So it is not possible to see the traffic after initialization or before termination of the connection.

BR,

Basti