cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1277
Views
5
Helpful
3
Replies

Cisco ASA 5506-X FirePower 6.0 Issues with URL filtering and SSL inspection

ryabutler
Level 1
Level 1

Hi,

I have a Cisco ASA 5506-X with FirePOWER services running OS 6.0.0 (which supports SSL inspection). I am managing this firewall through the ASDM. The ASA itself is running ASA OS version 9.5(1). The ASDM version is 7.5(2)

I am encountering a lot of unreliable issues and bugs with this firewall running OS 6.0.0.  Here are the biggest issues:

  1. URL Filtering hangs the SFR module for traffic forwarding: When I configure URL filtering for blocking based on a category such as Social Network and adding URLs like cisco.com everything works as expected from the clients. However, after some time, all users will lose access to services on the Internet as if the SFR module hangs. But I can console and access the FirePower pages without any problems. I have to reboot the SFR module and everything works ago. CPU and memory resources are good. I can repeat this process several times and this seem to be bug. Even on other ASA SFR units.
  2. SSL inspection is not reliable compared to the ASA running the CX module which works great.  I setup SSL inspection, imported the CA in our user's web browsers and when I access Facebook.com ... we see our cert.  However, if I want to block Facebook posts, comments, chat, etc.   Nothing works!!!!  Even though it is using the correct cert.

I even generated the troubleshooting logs, but they don't provide any useful info I can use to understand what is going on.

Are there any known bugs or problems with Cisco ASA 5506-X with FirePOWER services running OS 6.0.0? Or is there anything I need to do extra on this ASA to get everything to work reliably?

I don't see much resources and I'm not happy with this product. The PAN, FGT, and the ASA using CX are much better NGFWs compared to the ASA SFR unit.

Please help or guide me in the right direction?

Thank you!

-rya

3 Replies 3

Boris Uskov
Level 4
Level 4

Hello,

I just want to add, that I heard from cisco representative, that 6.0 version is a bit raw and not stable. The advice is to use 5.4 version and the lattest update (Patch 5.4.1.5) until 6.1 (or 6.0.1, not sure) release appears:

https://software.cisco.com/download/release.html?mdfid=286283326&flowid=77251&softwareid=286277393&release=5.4.1.5&relind=AVAILABLE&rellifecycle=&reltype=latest

The bad thing is that 5.4 don't have SSL decryption for cisco ASA (SSL decryption implemented only for NGIPS appliances). Neither it has Active Authentication.

Thanks for adding that.  I agree that 6.0 is very raw and very unstable.  But 6.0 has been out since November 2015 and I'm surprised there isn't any updates since then.

I'm using 6.0 only because of SSL inspection.  If the SFR can't do SSL inspection natively, where other NGFWs can (Palo Alto, Fortinet, ASA CX) without using a separate box, then it doesn't make sense for anyone to use SFR because it isn't ready for production networks.

-rya

I think, Cisco understands the necessity of onbox SSL decryption for ASA with FirePOWER module, that's why they are developing new software versions. I'm absolutely agree with you, that without onbox SSL decryption it will be difficult to compete with other vendors within NGFW and UTM classes. 

Review Cisco Networking for a $25 gift card