Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
541
Views
1
Helpful
7
Replies

Firepower Congestion

Go to solution
sysad43
Level 1
Level 1

‎08-13-2024 06:40 AM

ASA 5555x with firepower - 9.14 latest interim
SFR modules and FPMCv at 6.4 latest interim

Suddenly on a Monday morning at 8am, latency through our ASA 5555x firewall spiked from its usual <10ms to over 3000ms and started dropping packets. Voice calls failed. We started getting alerts from systems we monitored, and internet connectivity was slow to nonexistent. This is when most of our users log in, connection rates go up to 100-200/s total connections go from about 8000 to 20000. We had not made any recent changes other than upgrading some anyconnect clients to 5.1 version.

Now, the problem happens every monday at 8am, and calms down by about 9am. And also happens a little less at 8am every work day. It happend on a tuesday at 8am when we were closed on monday, so its certainly correlated to increased internal traffic going out.

To try and resolve we made sure we were on latest fixes (firepower pending), looked for DDOS, shunned some internal IPs tripping threat detection rates, but nothing has worked except bypassing the firepower module entirely. So, we think the issue is thus with the firepower module, or the config, but since nothing changed, we cant find the reason.

Where should I look to try and get more information on whats going on? 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
sysad43
Level 1
Level 1

‎08-19-2024 06:41 AM

Updating FPMC and SFR and/or bypassing SFR for some traffic so far seems to have resolved it.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
sysad43
Level 1
Level 1

‎08-13-2024 06:41 AM

Also, we are working with our 3rd party cisco support engineer, but have not been able to resolve this yet.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to sysad43

‎08-13-2024 08:04 AM

You mentioned that the traffic internal make asa high utilize' then you need to change the GW of host into other L3 device and make asa only inspect traffic when host want to access internet.

MHM

0 Helpful

Go to solution
james.king14
Level 1
Level 1

‎08-13-2024 08:58 AM

Did you try the troubleshooting of the ASA modules? Of course! Try these
steps on the module to id what is causing this.

ASA FirePOWER Module (SFR) Troubleshoot File Generation Procedures using
ASDM (On-box Management) (cisco.com)
<>

Firepower Data Path Troubleshooting: Overview - Cisco
<>

Troubleshooting ASA FirePOWER modules | CCIE Security Blog (cciesecblog.com)
<>




Go to solution
sysad43
Level 1
Level 1
In response to james.king14

‎08-13-2024 09:49 AM

Thanks, I will take a look.

0 Helpful

Go to solution
sysad43
Level 1
Level 1

‎08-15-2024 01:22 PM

No real new information from testing, so next step is we are going to update FPMC and SFR modules and then change the service policy to bypass inspection for some traffic. So far, disabling inspection entirely is only thing that resolves this.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to sysad43

‎08-17-2024 07:10 AM

Show conn long 

See the top ten traffic rate' if the traffic is internal then as I suggest before make internal traffic bypass ftd (change GW of internal host)

MHM

0 Helpful

Go to solution
sysad43
Level 1
Level 1

‎08-19-2024 06:41 AM

Updating FPMC and SFR and/or bypassing SFR for some traffic so far seems to have resolved it.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card