Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1604
Views
0
Helpful
4
Replies

FireSight Health Critical: XX seconds since discovery event. How to troubleshoot?

Thomas Winther
Level 1
Level 1

‎01-27-2015 04:27 AM - edited ‎03-12-2019 05:36 AM

Hi there

I have a new ASA Firepower setup with six test-clients running on it. Basic setup and policies in Firesight seems ok. Policies are blocking as expected.

But Firesight health monitor is in critical state on the Module Discovery Event Status with the message: "It has been xxxyyy seconds since discovery reported an event."
And I don't really know how to troubleshoot it.

 

Can you help, please?

 

//Thomas Winther

 

Labels:
0 Helpful
4 Replies 4

adhogan
Level 1
Level 1

‎01-27-2015 06:27 AM

What is your network discovery policy? 

0 Helpful

Thomas Winther
Level 1
Level 1
In response to adhogan

‎01-27-2015 11:35 AM

My Network discovery policy looks like this: 

Networks:0.0.0.0/0,
Zone:"Inside"(which is my ASA inside interfaces from both ASAs in the HA setup),
No exclusions,
Action:Discover: Hosts, Applications.
 

..And a have a discovery line for my DMZs as well, looking like the one above, but specifying the subnets in DMZ and the DMZ Zones.

 

Advanced settings for the network discovery policy are default(update interval 3600, Event logging: all events enabled).

...

As default action for my only Access Control Policy, I have a custom IPS policy based on 'balanced security and connectivity'.

 

I would appreciate any good ideas...

0 Helpful

Libera Networks
Level 1
Level 1
In response to Thomas Winther

‎02-02-2015 01:45 AM

Hello,

 

I have the very same issue with mi FirePOWER/FireSIGHT deployment.

 

I can collect data regarding Application Data (Traffic by Application, Dennied Connections, etc.), but nothing related "Network Discovery", nor "Intrusion Events".

As default action for Access Control Policy and Intrusion Prevention I have also custom IPS policy based on "Connectivity over security".

 

Any thoughts on this?

 

Regards,

 

Libera-TAC team.

0 Helpful

Thomas Winther
Level 1
Level 1
In response to Libera Networks

‎02-03-2015 02:08 AM

My issue with the missing discovery events is solved, thanks to a clever consultant on the area...

As described above, I have a network discovery policy using security zones.

I just hadn't mapped the Firesight security zones to ASA interfaces correctly on both my ASAs in the HA setup. And while a had the definition correct on one box, apparently my HA-setup had fallen over to the other one.

So please, if you're using zone object, doublecheck the mapping to ASA interfaces under Devices/Device Management/Interfaces.

 

//Thomas

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card