Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3284
Views
0
Helpful
10
Replies

Firesight drops all traffic and stops the business

fleo74380
Level 1
Level 1

‎02-02-2016 04:04 AM - edited ‎03-12-2019 05:53 AM

Hi all,

I seeking for some help for one issue that i am facing with one ASA and firesight.

To briefly explain, our company is providing an IT infrastructure to small companies. Basically, the clients connect via RDP from the internet to our systems, and our ASA firewall is NATing the traffic to inside to the appropriate server(even though it is not super secure:( ) and get their working environment in our Datacenter.

I am using firesight with TAMC licence (url filtering, malware, IPS) and it is working well BUT :

- Regularly, we have the firesight that blocks ALL traffic, which stops completely the business

- Some servers inside are considered as compromised (CnC- Connected - The host may be under remote control)

When this happens, i need to connect to the ASA (which is the only device i can connect to, and deactivate the the firepower inspection in the service policy rules. It looks like that every times there is a threat or anything that looks compromised, all the traffic is stopped and we loose totally the access to our datacenter (which we are working remotely)

Some help would be very much appreciated 

Thanks

Emmanuel

1 person had this problem
Labels:
0 Helpful
10 Replies 10

Aastha Bhardwaj
Cisco Employee
Cisco Employee

‎02-03-2016 07:12 AM

Hi,

There could be multiple reasons for such behavior ? What is the version of SFR that you are currently on .

One most common could be if you have  a file inspection policy in place and you have inspect archive option enabled , disable it and apply the policy then observe if you see the same behavior.

i would also advise you to open a TAC case for same because this would require looking at the logs at the time of the issue.

Regards,

Aastha Bhardwaj

Rate if that helps!!!

0 Helpful

fleo74380
Level 1
Level 1
In response to Aastha Bhardwaj

‎02-03-2016 10:54 AM

Hi, and thank you for your answer.

I have updated the defence center to the latest 5.4.1.5 version yesterday evening.

I am running   asasfr-5500x-boot-5.4.1-211.img in my ASA flash.

What i also did is move the IPS base policy to "no rules active"

Important also to say is that i deactivated the CnC from the blacklist ( after having done that, the firesight unflagged all the RDP servers as "compromised")

Today i did not have any connection outage, but i am not sure if that was the firesight upgrade, the "no rules active" or the removal of CnC from the blacklist that helped 

Any ideas ?

0 Helpful

Aastha Bhardwaj
Cisco Employee
Cisco Employee
In response to fleo74380

‎02-03-2016 04:41 PM

Hi,

It could probably be the Intrusion policy , are you using the default policy  ? Did you check if there is any file policy in there ,

Regards,

Aastha Bhardwaj

Rate if that helps!!!

0 Helpful

fleo74380
Level 1
Level 1
In response to Aastha Bhardwaj

‎02-04-2016 03:39 AM

Hi

I am not using the default policy but one that i've created. (i moved the base policy to no rules active for now). Also the "intrusion policy used before access control rule is determined" is set to "no rules active" now

I also moved the "default network analysis policy" to Connectivity over security

Basically, i tried to reduce at maximum the level of control from the IPS

Yes in my access control list, i applied some file policy checks (it is analysing all types of files transiting and checks for malwares) and i applied it to all traffic from outside to inside.

We did not have any outages since i modified these parameters, but i am closely monitoring the network.

Question about the firesight : is it normal that if the IPS detect an intrusion or threat, it would stop all traffic from passing through the ASA ?

Thanks

Emmanuel

0 Helpful

nikolaj.joeker
Level 1
Level 1
In response to fleo74380

‎04-20-2016 05:26 AM

Hi,

Did you resolve the "block all traffic" issue?

I have two sensors, and one of them began to block all traffic this morning.

0 Helpful

Aastha Bhardwaj
Cisco Employee
Cisco Employee
In response to nikolaj.joeker

‎04-20-2016 05:44 AM

Hi,

What kind of sensors are they ? If it is ASA SFR module , do you see that they are up and running .

Check the connection events in Defense center and see if you get any blocks during that time.

Regards,

Aastha Bhardwaj

Rate if that helps!!!

0 Helpful

nikolaj.joeker
Level 1
Level 1
In response to Aastha Bhardwaj

‎04-20-2016 05:52 AM

The sensor that failed is an ASA5516X, running v5.4.1.4. The module seemed to be running, as DC was receiving logging data from it. According to logging it was allowing and blocking traffic as expected from the Access Control policy. Yet nothing was actually passing. As I changed the ASA Service Policy to "monitor only" traffic was passing again. I am able to apply a Access Policy to the sensor, so is seems to be functional.

I would very much like to figure out what happened, maybe an internal log showing an error in the sensor (?), but where to look?

Now I am upgrading the sensor to 5.4.1.6.

0 Helpful

fleo74380
Level 1
Level 1
In response to nikolaj.joeker

‎04-20-2016 06:49 AM

Hi,

I didn't really found the solution, but did kind of a workaround.

Basically, i have deactivated the CnC, so the firesight is not flagging up these alerts and is not blocking all traffic anymore. The problem is that we are vulnerable to CnC now.

If you are using the IPS feature, you should maybe try to deactivate the one that is blocking your traffic and see if it is blocking your traffic. Then maybe further analysis to pinpoint the exact issue.

Let us now if by upgrading your sensor it solves the issue :)

0 Helpful

ankojha
Level 3
Level 3
In response to nikolaj.joeker

‎05-04-2016 10:45 AM

Hi,

Was the issue observed for specific ip or you tested it from other ip's as well ?

Ideally it should only block the traffic for which the signature was triggered.

Did you get any other alert as well which might have caused entire traffic outage ?

Thanks,

Ankita

0 Helpful

pr3d4t0r_gr
Level 1
Level 1

‎04-20-2016 08:04 AM

I faced the same issue also.

As Aastha said: "One most common could be if you have  a file inspection policy in place and you have inspect archive option enabled , disable it and apply the policy then observe if you see the same behavior."

When i disabled the inspect archive option i didn't have any issues. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card