Hi.

6.3 and now 6.3.13.

I have delay not only ICMP. SIP and DNS also delayed.

In bug reference I see workaround - disable hardware ssl acceleration but I do not use decryption.

What method of diagnostic you can recommended in case like this?

Thank you!

They turned on "enable by default" behavior in 6.3. That has an unanticipated negative impact - even though you are not using the feature.

The BugID only indicates icmp traffic is affected by the bug; but it may be that they didn't get any user reports of SIP and DNS traffic from users and thus haven't noted those are affected.

You can do ahead and disable it from the cli (reboot required for it to take effect).

And - yes - it is configured from the cli. It's one of the few features that is done that way with FTD.

Sorry I provide wrong version:

ZES-ASA01/pri/act# sh module sfr

Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
sfr FirePOWER Services Software Module ASA5515 FCH18217YHB

Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ ---------------
sfr f40f.1b76.d347 to f40f.1b76.d347 N/A N/A 6.2.3.13-53

Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
sfr ASA FirePOWER Up 6.2.3.13-53

Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
sfr Up Up

And I think workaround is not applicable for me, sfr module not accepted commands:

system support ssl-hw-offload disableFTD

system support ssl-hw-force-offload-disable

Ah correct - sorry that command is for FTD only. You did say you are using ASA with Firepower service module.

Are you inspecting icmp, sip and dns in your ASA config? What is the ASA version (not Firepower version)?

Cisco Adaptive Security Appliance Software Version 9.6(4)3

policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect pptp
inspect icmp error
class IPS-CM
sfr fail-open

Everything appears in order with your config.

I'd suggest opening a TAC case for a more detailed look in real time.

Did we have a resolution to this? Oleg were you able to resolve this with TAC?

We have the same Problem with 6.6.1-91 and ASA 5555x any new ideas?

After upgrade FP and except many traffic from it, we have no problem.