Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2087
Views
17
Helpful
6
Replies

Firepower module in 5512-X denying all traffic (failing closed) after 6.0 upgrade

mythosmc1
Level 1
Level 1

‎11-25-2015 06:46 PM - edited ‎03-12-2019 05:49 AM

Are there any known reasons as to why a firepower module would lock up fail-closed ?

I've seen this happen to both a 5512-X and a 5525-X, the firepower module becomes locked up and the only way to allow traffic is to switch the service policy off in the ASA.

3 people had this problem
Labels:
0 Helpful
6 Replies 6

Aastha Bhardwaj
Cisco Employee
Cisco Employee

‎11-25-2015 06:58 PM

Hi,

These are the three modes on which you can set the ASA:

The fail-close keyword sets the ASA to block all traffic if the ASA FirePOWER module is unavailable.
The fail-open keyword sets the ASA to allow all traffic through, uninspected, if the module is unavailable.
Specify monitor-only to send a read-only copy of traffic to the module, i.e. inline tap mode. If you do not include the keyword, the traffic is sent in inline mode. Be sure to configure consistent policies on the ASA and the ASA FirePOWER. See ASA FirePOWER Inline Tap Monitor-Only Mode for more information.

If the firepower module goes down then yes the traffic will be dropped.But when you say locked up what do you exactly mean ?

Check the status of the module by the command : show module sfr detail

Also let me know the version of ASA and SFR .

Regards,

Aastha Bhardwaj

Rate if that helps!!!

mythosmc1
Level 1
Level 1
In response to Aastha Bhardwaj

‎11-25-2015 07:53 PM

This was happening on both 5.4.1.1-33 as well as version 6

I am having trouble understanding what you mean with monitor-only mode; Are you recommending me to use that?

I am not entirely sure if the module is locked up, but some event happens and firepower begins to block all outgoing traffic until the service policy is disabled

I have since rebooted the module, so this output is probably useless:


Result of the command: "show module sfr detail"

Getting details from the Service Module, please wait...

Card Type: FirePOWER Services Software Module
Model: ASA5512
Hardware version: N/A
Serial Number: FCH1902JC39
Firmware version: N/A
Software version: 6.0.0-1005
MAC Address Range: b0aa.7796.5920 to b0aa.7796.5920
App. name: ASA FirePOWER
App. Status: Up
App. Status Desc: Normal Operation
App. version: 6.0.0-1005
Data Plane Status: Up
Console session: Ready
Status: Up
DC addr: 172.16.x.zzz 
Mgmt IP addr: 172.16.x.xxx 
Mgmt Network mask: 255.255.255.0
Mgmt Gateway: 172.16.x.yyy 
Mgmt web ports: 443
Mgmt TLS enabled: true

Aastha Bhardwaj
Cisco Employee
Cisco Employee
In response to mythosmc1

‎11-25-2015 09:12 PM

Hi,

 I would recommend you using fail-open mode so that if the module goes down the traffic still continues to pass. Also check the status of the module when the issue happens before disabling the service-policy.

Also if the status of the module is up , you can check the connection events and see if the trafic is being blocked. Are there of any signs of oversubscription on the module  as in do you have a lot of traffic passing through the SFR module.

Regards,

Aastha Bhardwaj

Rate if that helps!!!

mythosmc1
Level 1
Level 1
In response to Aastha Bhardwaj

‎11-26-2015 08:37 AM

After some browsing on here I am hoping it has something to do with this bug,

https://tools.cisco.com/bugsearch/bug/CSCut39253/?reffering_site=dumpcr

I have 3 clients with firepower, only one of them is without this issue.. and I beleive the one that doesn't have any issues isnt using AMP/file protection features

This seems like a pretty serious 'bug' is there anywhere I can sign up for bulletins for these types of issues?

0 Helpful

Aastha Bhardwaj
Cisco Employee
Cisco Employee
In response to mythosmc1

‎11-30-2015 05:29 PM

Hi,

Yes , if on the bug you click on save bug you will get subscribed to it and you will get an option to get notifications based on it on weekly or monthly basis.

Regards,

Aastha Bhardwaj

Rate if that helps!!!

Jarrad Thomas
Level 1
Level 1

‎04-07-2016 11:30 PM

I have this problem too. I have the service-policy set to fail-open, though it isn't working as expected. The SFR module still states it is up / up and normal operation, however no traffic is passed when inline.

A reboot of the module fixes it temporarily. Or setting the service policy to monitor-only (this resumes traffic flow through the ASA but the firepower module doesn't log any of the traffic)

I can't find any syslogs at the time of the failure. Are there some debugs I can run? It generally lasts between a day and a week before failing again.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card