Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1967
Views
9
Helpful
4
Replies

Firesight not showing Real Time Eventing

pzivotic1
Level 1
Level 1

‎12-23-2015 05:38 AM - edited ‎03-12-2019 05:51 AM

Hello all,

On ASA 5508 with firepower, ASDM ASA firepower monitoring/real time eventing not showing any logs.  Access control policy have logging enable

( Log at Beginning and End of Connection ) and send to Event viewer is checked. On dashboard i have reporting working well.

Can someone help me with this issue? I have provide screenshot below.

Regards

Petar

2 people had this problem
Labels:
Preview file
66 KB
0 Helpful
4 Replies 4

Aastha Bhardwaj
Cisco Employee
Cisco Employee

‎12-23-2015 10:38 AM

Hi,

On ASA , i hope the traffic is being redirected to the SFR , you can verify that by : show service-policy sfr and see the packets increasing.

Go on Access control policy and check if Logging is enabled on it and then also on right hand corner you have the window to increase the time frame , increase that for a week and see if you get any events out there.

If all of that is fine check on the sensor:

/var/sf/detection-engine , press tab and then go to instance
/var/sf/detection-engine/*/instance-1 ,Check for conn-unified bookmark file , see what date it was updated.

Also check the below on SFR :

pmtool status |grep SFData

SFdatacorrelator service should be running , otherwise you can try restarting it and see if that helps.

Regards,

Aastha Bhardwaj

Rate it that helps!!!

pzivotic1
Level 1
Level 1
In response to Aastha Bhardwaj

‎12-24-2015 01:34 AM

Hello Aastha,

Traffic is being redirected but when i checked with "show service-policy sfr", i noticed  "SFR: card status Down, mode fail-open". I rebooted SFR but still, issue occured again "Card status down".

Also in ASA Firepower status "Data plane status" is down

Do You have idea how to bring it up?

Thank You kindly

Petar

0 Helpful

Aastha Bhardwaj
Cisco Employee
Cisco Employee
In response to pzivotic1

‎12-24-2015 10:02 AM

Hi,

If you have reloaded the module and still the data plane status is down then we need to get that up first.

Try : sw-module module sfr reset and see if that helps.

Regards,

Aastha Bhardwaj

Rate if that helps!!!

pzivotic1
Level 1
Level 1
In response to Aastha Bhardwaj

‎12-24-2015 11:23 PM

Hello Aastha, I did that and data plane status came up.That is great.Now packet increase and i got firepower reporting but still no real time.When i check /var/sf/detection_engines/*/instance-1 there were non conn-unified bookmark file only conn-unified.log with todays date.Also when i click on access policy i dont have policy editor no more,default policy window is opened instead in which i dont have window to increase time. SFdatacorrelator service is running.What next? Kind regards Petar
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card