cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5677
Views
0
Helpful
12
Replies

errors in Firepower

adamgibs7
Level 6
Level 6

Dears,

 

I have three questions, Please answer

 

Please find the attached error.

whenever i navigate to edit the ACP , i get a pop-up as per the attached , also when i save after doing any changes  i get an a attached pop-up error, hence it is a bug but i am on the latest still it is hitting me, ???why that so ?? the bug id is https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvd40583/?rfs=iqvred

 

Also I have a file policy as per the attached it is showing warning, i wanted to confirm this warning means the file policy is not configured properly or it is just an information, also i have selected any for the type of file and checking for malware for all types of file except executable and multimedia which i m blocking explicitly is it a good practice of design.

 

i was having a default action to pass i have changed it dropped all traffic, now my fmc pops up with the  error: unable to communicate dynamic analysis cloud, i have allowed all protocols from firepower sensor IP address.

12 Replies 12

yogdhanu
Cisco Employee
Cisco Employee

Hi Adam,

 

For the first question:

It could be that bug. Do you have the same conditions in that setup like the firmware version and FTD HA?

It could be some other issue as well. I would suggest to open TAC case for that so right issue can be isolated and fixed.

For the second question: Although the screenshot does not show what is the warning(you can hover mouse over the warning and it will show the message) but it could just be that some of the  files which are dynamic analysis capable and local analysis capable are also executable  and multimedia which are already blocked. So dynamic/local analysis for those files will not be done because they are blocked anyways. If that's the error, it can safely be ignored.

 

For the third question.

its not a good practice to let FMC traffic pass through FTD/FPR but if you are doing that,

panacea.threatgrid.com is explicitly allowed on firepower for port 443 and cloud-sa.amp.sourcefire.com

for netowork AMP.

 

Hope it helps,

Yogesh

 

 

Dear

 

It could be that bug. Do you have the same conditions in that setup like the firmware version and FTD HA?

NO

 

It could be some other issue as well. I would suggest to open TAC case for that so right issue can be isolated and fixed

Any hint you can give me so that i can check for it, it can be becz of  policies for which i have a deny statement  up and permit statement  down then again i have a deny statement for the some application traffic ,   It can be for that ????

 

but it could just be that some of the  files which are dynamic analysis capable and local analysis capable are also executable  and multimedia which are already blocked. So dynamic/local analysis for those files will not be done because they are blocked anyways. If that's the error, it can safely be ignored.

 

yes exactly it is the error. 

 

Third Question

panacea.threatgrid.com is explicitly allowed on firepower for port 443 and cloud-sa.amp.sourcefire.com

for netowork AMP.

 

from FMC  & firepower, IP address i have allowed , 80,443, 53 are there any other ports that has to be allowed apart from these.

 

Thanks

 

Hi

 

There are no other ports to be allowed. Are you doing SSL decryption on Firepower? If yes, bypass FMC IP from that. Or create a trust rule for FMC IP.

The policy error cannot be because of the rule actions. They may or may not match and give warning about that but no error.

 

You can run pigtail on FMC CLI in root mode and then reproduce the error. Stop the pigtail (it would be huge output so you may want to log the putty output) and then check for that error and any related info (just before the error comes) which might help.

 

Hope it helps,

Yogesh

 

Dear Yogdhanu

Are you doing SSL decryption on Firepower

not for the FMC subnet as it is management Vlan,

 

Create a trust rule for FMC IP

I will create and test, currently not in the office

 

You can run pigtail on FMC CLI in root mode and then reproduce the error. Stop the pigtail (it would be huge output so you may want to log the putty output) and then check for that error and any related info (just before the error comes) which might help.

Also I will try applying the above and will collect logs

 

Thanks for the reply

Dears

 

Please find the warning snapshot,

 

my first rule is blocking all executables and multimedia and on the second rule  malware lookups for types of file , Please confirm whether it is a best practice for configuring file policy.

 

The trust rule worked fine without any errors

 

if start the pigtail how I can stop it. ??

 

Thanks

Hello,

 

The rules is fine. As the warning just explains that because first rule is to block file itself, system will not do lookup for those files which it has to block anyways on extension.

You can use control+ c to stop the output.

 

Rate if helps,

Yogesh

Thanks

 Attached are the pigtails, i don't know how we can read them is it any cisco document or it is only for the TAC use.

 

the file policy which i have configured is it a best practice as per the cisco ,??? 

i m facing a issue with the download file ,,i try to download a exe file for a user who is allowed to download the exe, the file starts downloading but at the end when it is 4 % 3% or 2% left to finish it fails with network error , but the logs says it is allowed

thanks

 

Dear Yogdhanu,

Can u investigate the logs attached and share your experience

 

thanks

Dears,

Anybody can help me for the above query.

thanks

qasim.saeed1
Level 1
Level 1

I Have the same issue in my firepower and I don't know why, URL also not working. Please guide us

Error is Successfully connected with the cloud

FMC: Unable to communicate with dynamic analysis cloud.   

sachin garg
Level 1
Level 1

I have the problem - ERROR DURING POLICY VALIDATION "Internal error..........."

 

I gt below steps from TAC

Action Taken:-

  • Raised TAC as this needs some scripts to be run,
  • TAC initiated – 695290717,
  • TAC confirmed the same bug,
  • TAC eng mentioned to raise BU collab, next eng to join in next 5 to 10 mins
  • Bug ID - https://bst.cisco.com/bugsearch/bug/CSCvd40583

 

 

Next plan of action:- TAC steps to run script

  1. Take backup of the FMC DB before executing this script.
  2. Copy the file InterfaceAndInterfaceObjectCleanUp.zip to the FMC under the location /volume/home/admin.
  3. SSH into the FMC with admin user.
  4. Run “sudo su”, and type in the password.
  5. Extract the compressed file with the command “unzip InterfaceAndInterfaceObjectCleanUp.zip”
  6. Run “cd InterfaceAndInterfaceObjectCleanUp”
  7. Run “chmod 777 InterfaceGroupCleanUp.sh”
  8. Trigger the “InterfaceGroupCleanUp.sh” script by running the command: ./InterfaceGroupCleanUp.sh
  9. Script has been attached to the below folder.
  10. Needs to be done under a maintenance window,
  11. Interfaces may restart,
  12. TAC eng was not aware , BU eng joined the webex and told us this.
  13. Script files may be taen from TAC. Not able to attach them here.
Review Cisco Networking for a $25 gift card