Solved: FMC IPS Critical Alert

Adnan Khan · ‎05-12-2020

Hi, I am getting an alert on Cisco FMC for IPS. The Snap is attached. Is that normal or we have any fix for that?

Marvin Rhoads · ‎05-12-2020

It will stop all interface alerts. Unfortunately you cannot choose among the interfaces to which this Health Monitor applies.

But then FMC isn't really the right tool to monitor your interfaces - an NMS like PRTG, SolarWinds, Prime Infrastructure etc. is better suited for that task.

Later releases of Firepower fix the issue - I'm not sure exactly which one addressed it but it's fixed in the current 6.6 release.

View solution in original post

Marvin Rhoads · ‎05-12-2020

It's not an IPS alert, it's a Health monitor alert. We normally see those when you are managing the Firepower service modules in an ASA HA pair. The standby unit will not be seeing any data traffic and thus generate the alert. If that's your case, the alert can be safely ignored.

The only work around for it is to blacklist interface monitoring in the Health Policy.

If you're not seeing it as coming from the standby unit in an HA pair then we have further troubleshooting to do.

Adnan Khan · ‎05-12-2020

Many thanks for your quick valuable response. Could you please share how I can blacklist the interface so the alert should not show up. Your reply is awaited, please.

Marvin Rhoads · ‎05-12-2020

You're welcome.

In FMC, go to System > Health > Policy and click on the "Interface Status" setting. There you should see an option to disable the checks.

Adnan Khan · ‎05-12-2020

Many thanks again. I will apply and update here the result.

Adnan Khan · ‎05-12-2020

If we do this. Will it stop any other legitimate alerts associated with this interface?

Marvin Rhoads · ‎05-12-2020

It will stop all interface alerts. Unfortunately you cannot choose among the interfaces to which this Health Monitor applies.

But then FMC isn't really the right tool to monitor your interfaces - an NMS like PRTG, SolarWinds, Prime Infrastructure etc. is better suited for that task.

Later releases of Firepower fix the issue - I'm not sure exactly which one addressed it but it's fixed in the current 6.6 release.

Adnan Khan · ‎05-12-2020

Yes I agreed. Many thanks for your prompt response.

Adnan Khan · ‎05-12-2020

I have configured the email alerts on FMC and getting notifications which are good but I am getting alerts every 5 minutes for this (interface 'dataplaneinterface0' is not receiving any packets). Is there any option if I can change the interval of this interface for regeneration? I plan not to disable this otherwise all legitimate alerts will be disabled as well.

Marvin Rhoads · ‎05-12-2020

The Health Policy (for all monitored subsytems) runs every 5 minutes by default. You cannot change it per subsystem.

So if you choose not to blacklist the interface events and have your FMC configured to email alerts you will get that email every five minutes. In that case, it may be easier to make an email rule to delete or file the ones with the predictable string in the body.

Adnan Khan · ‎05-12-2020

Thanks, FMC alert features are so limited. Not much control over it.