Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4760
Views
0
Helpful
11
Replies

FirePOWER add latency without any visible reason

Oleg Volkov
Spotlight
Spotlight

‎08-17-2019 05:44 AM - edited ‎02-21-2020 09:24 AM

Hello!

I have ASA with FirePOWER (no AMP and URL). And have many (over 10) zones.

yesterday my SIP server sometimes  loss registration and vice also have poor quality.

I try to PING 8.8.8.8 and get floating delay from 25 to 500! ms.

i exclude sip server traffic from FirePOWER module and get delay about 23-25 ms.

I change active ASA (also with FirePOWER) and first time after, delay was be normal, but not long time. How I can understand what traffic make FirePOWER unusable?

PS:

I do not have high traffic, but have many connection from outside to my WEB (https) server.

--------------------------------------------------------------------------

Helping seriously ill children, all together. All information about this, is posted on my blog
1 person had this problem
Labels:
0 Helpful
11 Replies 11

Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-17-2019 10:23 PM

What version are you running? There is a bug with 6.3 that can affect observed icmp latencies.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvo80715

0 Helpful

Oleg Volkov
Spotlight
Spotlight
In response to Marvin Rhoads

‎08-18-2019 12:40 AM

Hi.

6.3 and now 6.3.13.

I have delay not only ICMP. SIP and DNS also delayed.

In bug reference I see workaround - disable hardware ssl acceleration but I do not use decryption.

What method of diagnostic you can recommended in case like this?

Thank you!

--------------------------------------------------------------------------

Helping seriously ill children, all together. All information about this, is posted on my blog
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Oleg Volkov

‎08-18-2019 03:44 AM

They turned on "enable by default" behavior in 6.3. That has an unanticipated negative impact - even though you are not using the feature.

The BugID only indicates icmp traffic is affected by the bug; but it may be that they didn't get any user reports of SIP and DNS traffic from users and thus haven't noted those are affected.

You can do ahead and disable it from the cli (reboot required for it to take effect).

And - yes - it is configured from the cli. It's one of the few features that is done that way with FTD.

0 Helpful

Oleg Volkov
Spotlight
Spotlight
In response to Marvin Rhoads

‎08-18-2019 05:28 AM - edited ‎08-18-2019 05:31 AM

Sorry I provide wrong version:

 

ZES-ASA01/pri/act# sh module sfr

Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
sfr FirePOWER Services Software Module ASA5515 FCH18217YHB

Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ ---------------
sfr f40f.1b76.d347 to f40f.1b76.d347 N/A N/A 6.2.3.13-53

Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
sfr ASA FirePOWER Up 6.2.3.13-53

Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
sfr Up Up

And I think workaround is not applicable for me, sfr module not accepted commands:

system support ssl-hw-offload disableFTD

system support ssl-hw-force-offload-disable

--------------------------------------------------------------------------

Helping seriously ill children, all together. All information about this, is posted on my blog
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Oleg Volkov

‎08-18-2019 05:36 AM

Ah correct - sorry that command is for FTD only. You did say you are using ASA with Firepower service module.

Are you inspecting icmp, sip and dns in your ASA config? What is the ASA version (not Firepower version)?

0 Helpful

Oleg Volkov
Spotlight
Spotlight
In response to Marvin Rhoads

‎08-18-2019 05:46 AM

Cisco Adaptive Security Appliance Software Version 9.6(4)3

policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect pptp
inspect icmp error
class IPS-CM
sfr fail-open

--------------------------------------------------------------------------

Helping seriously ill children, all together. All information about this, is posted on my blog
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Oleg Volkov

‎08-19-2019 01:43 AM

Everything appears in order with your config.

I'd suggest opening a TAC case for a more detailed look in real time.

0 Helpful

irshad.hirani
Level 1
Level 1
In response to Marvin Rhoads

‎01-03-2020 01:40 PM

Did we have a resolution to this? Oleg were you able to resolve this with TAC?

0 Helpful

Oleg Volkov
Spotlight
Spotlight
In response to irshad.hirani

‎01-03-2020 01:47 PM

No, we except part of traffic from FP and now latency is acceptable.
--------------------------------------------------------------------------

Helping seriously ill children, all together. All information about this, is posted on my blog
0 Helpful

BURKHARD LANDWEHR
Level 1
Level 1
In response to Oleg Volkov

‎02-16-2021 03:35 AM

We have the same Problem with 6.6.1-91 and ASA 5555x any new ideas?

 

0 Helpful

Oleg Volkov
Spotlight
Spotlight
In response to BURKHARD LANDWEHR

‎02-16-2021 07:51 AM

After upgrade FP and except many traffic from it, we have no problem.

--------------------------------------------------------------------------

Helping seriously ill children, all together. All information about this, is posted on my blog
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card