Thanks Marvin. Appreciated

alberx · ‎05-08-2015

I have two problems with FireSight/FirePower (ASA 5525).

First problem is that custom HTTP response when I block some traffic by URL filtering sometimes is not shown to the client. I´m appliying the rule to different network segments tied to two different ASA interfaces (WiFi interface and Inside interface). In one of them the HTTP response always is shown (WiFi interface), but in the other (Inside interface) 50% of times the connection is blocked without showing the HTTP reponse page to the client. The only difference between this two segment is that Firepower managent interface is connected to the inside network with an IP in the same network that inside interface. Could this be the problem? Do I have to change the management interface to another IP network different to inside network?

Second problem is that application filtering seems not work correctly. I´m trying to block some traffic by application (dropbox, skype....) but some of them still can traverse the FirePower, for example I can check my dropbox files and donwload it without any problem. But in FireSight reports are some blocked connections by dropbox application.... This behavior also happens with other applications. In ASA i have a policy only to send the traffic flows from private networks (WiFi and Inside) to the FirePower module, but not the public traffic in outside interface. Does anyone have any similar experience.

Manuals are not clear and I could not find "best practices" or troubleshooting for this specific problems.

Thanks.

Pavel Trinos · ‎05-12-2015

Here is what I do and it works. I apply it to global policy instead of interfaces:

access-list SFR extended permit ip any any
class-map SFR
match access-list SFR
policy-map global_policy
class sfr
SFR fail-open

Try it to see if it will resolve your intermittent issues. Also, make sure HTTPS is not used for the web blocking... It is not supported... It will block it, but not show the page...

alberx · ‎05-15-2015

Thanks Pavel,

already done, also applied some downloaded updates, but behaviour is the same. No http reponse page most of times or even allowing traffic to sites like playboy.com. I read that creating a rule just to monitor before blocking solved some problems, but in my case even applying monitor rules it does not work.

Also having problems with User Agent 2.2 with an unstable behavior not beign able to recognise users.

Pavel Trinos · ‎05-20-2015

I would enable logging on all Access rules to make sure we see the traffic in Connection -> Events.

UA 2.2, do you see any users that get reported to FSMC? Make sure your AD logs user logins..

alberx · ‎05-22-2015

Yesterday I upgraded to release 5.4.0.2 in sensors and 5.4.1.1 in DC and seems to work much more better. Http response page is showing all the clients and browsers. I have to check in detail application blocking.

But still having problems with user agent, it does not report to DC. Always is in unkwonk state.

Marvin Rhoads · ‎05-22-2015

Re the User Agent problem, have you also created an LDAP connection (under Policies > Users)? That's a necessary additional step.

alberx · ‎05-25-2015

Yes Marvin, already done.

The problem is that from the User agent the DC connection is always in "unknown" state. But from the test tool the conecctions with DC and AD are sucessfull.

I have a TAC case opened waiting for response.

alberx · ‎06-08-2015

Finally TAC engineer resolved my case just deleting user agent from DC a couple of times, adding it again and stopping services in User Agent server and restarting it again a couple of times. Checking logs and rebooting server.....

It seems User Agent is not as stable as it should be.

Marvin Rhoads · ‎06-08-2015

Thanks for updating us with the resolution. I'll pass that input on to the BU while I'm at Cisco Live! this week - I've had issues of my own kicking it into working order.

alberx · ‎06-08-2015

Thanks Marvin. Appreciated

FireSigh HTTP reponse and aplication block