cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1690
Views
0
Helpful
4
Replies

FireSight Health Critical: XX seconds since discovery event. How to troubleshoot?

Thomas Winther
Level 1
Level 1

Hi there

I have a new ASA Firepower setup with six test-clients running on it. Basic setup and policies in Firesight seems ok. Policies are blocking as expected.

But Firesight health monitor is in critical state on the Module Discovery Event Status with the message: "It has been xxxyyy seconds since discovery reported an event."
And I don't really know how to troubleshoot it.

 

Can you help, please?

 

//Thomas Winther

 

4 Replies 4

adhogan
Level 1
Level 1

What is your network discovery policy? 

My Network discovery policy looks like this: 

Networks:0.0.0.0/0,
Zone:"Inside"(which is my ASA inside interfaces from both ASAs in the HA setup),
No exclusions,
Action:Discover: Hosts, Applications.
 

..And a have a discovery line for my DMZs as well, looking like the one above, but specifying the subnets in DMZ and the DMZ Zones.

 

Advanced settings for the network discovery policy are default(update interval 3600, Event logging: all events enabled).

...

As default action for my only Access Control Policy, I have a custom IPS policy based on 'balanced security and connectivity'.

 

I would appreciate any good ideas...

Hello,

 

I have the very same issue with mi FirePOWER/FireSIGHT deployment.

 

I can collect data regarding Application Data (Traffic by Application, Dennied Connections, etc.), but nothing related "Network Discovery", nor "Intrusion Events".

As default action for Access Control Policy and Intrusion Prevention I have also custom IPS policy based on "Connectivity over security".

 

Any thoughts on this?

 

Regards,

 

Libera-TAC team.

My issue with the missing discovery events is solved, thanks to a clever consultant on the area...

As described above, I have a network discovery policy using security zones.

I just hadn't mapped the Firesight security zones to ASA interfaces correctly on both my ASAs in the HA setup. And while a had the definition correct on one box, apparently my HA-setup had fallen over to the other one.

So please, if you're using zone object, doublecheck the mapping to ASA interfaces under Devices/Device Management/Interfaces.

 

//Thomas

Review Cisco Networking for a $25 gift card