Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
410
Views
2
Helpful
2
Replies

Firepower 1140 is causing TCP bisbehaviour

swscco001
Level 3
Level 3

‎08-09-2023 05:47 AM

Hello everybody,

our curomer has a FMCv 7.0.5 and a HA cluster of two Firepower 1140 running 7.0.5 too.

Currently the secondary firewall is the active one.

The customer complained that he cannot access several web servers using TCP 443.

The Chrome browswer shows the error message: Unexpectedly Closing the Connection

In the event log I just see ALLOW messages when the customer is accessing from
the source IP 10.50.32.10 the web server IP 10.50.24.4 (see attached screen dump).

The capture on the inside and outside interface looks weired regarding TCP.
Both pcap-files are attached.

Then we decided to change to the primary filewall as active one. Thereafter
he could access the all the web servers again.

Is there any idea what could cause such behaviour and how we could encircle
the reason for the issue?

All hints are welcome.

Thanks a lot!

 


Bye
R.

Preview file
393 KB
Capture_Secondary_active_inside-IF_10.50.32.10 to 10.50.24.0_24 20230809.pcap.zip
Capture_Secondary_active_outside-IF_10.50.32.10 to 10.50.24.0_24 20230809.pcap.zip
0 Helpful
2 Replies 2

hemohemoh
Level 1
Level 1

‎08-28-2023 11:51 AM

hi @swscco001 ,

This issue could be related to the TCP state bypass feature. This feature allows traffic to bypass the access control policy lookup and therefore avoid any drops due to an out-of-order packet. You can try to check if this feature is enabled on the secondary firewall and if disabling it resolves the issue.

Another possible cause could be related to asymmetric routing. Asymmetric routing occurs when packets take different paths in one direction than they do in the other direction. This can cause issues with stateful firewalls like Firepower, as they expect to see both sides of a connection. You can try to check if there is any asymmetric routing in your network and if so, try to resolve it.

It is also possible that there might be some issue with the inspection of traffic on TCP port 443. You can try to check if there are any inspection policies configured for this port and if disabling them resolves the issue.

Rgds.

rhingel
Cisco Employee
Cisco Employee

‎08-28-2023 11:58 AM

I would run a system support trace from the FTD CLIsh (the prompt with > ), make sure you run it with the specific source & destination IP and ports to avoid a messy log.

Make sure your putty/terminal is logging the output to an external file.

Once the error shows up on the browser, check the logging output.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card