cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1407
Views
0
Helpful
4
Replies

FPR4120 running FTD 6.2.3.7 - packet lost during policies reapply

TonyGlass1469
Level 1
Level 1

Hi everyone,

 

I'm experiencing an issue with a FPR4120 chassis where I've installed a FTD software (release 6.2.3.7).

FTD is deployed inline for working as an IPS with bypass interfaces;

 

This FTD has 2 inlinesets , the 1st one connected to a nominal chain and the second one to a backup chain.

On these chains I get internet access, Firewalls, switches, ReverseProxy server and Inline Bypass TAP where FTD is connected, and where Internet traffic pass through all these equipments.

 

The objective is to protect web servers deployed "behind" this architecture.

 

But when doing some tests, for example when reapplying ACP, Intrusion Policies, I encounter an issue due to LACP packet lost. Network traffic that was passing on nominal chain switches to backup chin probably due to this LACP packet lost !!

Do you know if reapplying ACP, Intrusion, ...  policies from Firepower Management Center, FTD can lose a few packets ?

I've read on differents links that Cisco was aware of this bug before  5.3.1.1 release (link below), but is it still the same behaviour with 6.2.3.7 ??

https://www.cisco.com/c/en/us/support/docs/security/sourcefire-firepower-8000-series-appliances/117897-cinfig-sourcefire-00.html

 

Many thanks for your help !!!

4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

Yes there is risk of packet loss during policy deployments and rule updates, especially for versions prior to 6.2.3. This is mostly due to Snort restarts.

The behavior has improved in 6.3 and 6.4 (and the deploy warns you if your objects being deployed may cause traffic interruption).

See slide 142 onward here for more details:

https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2019/pdf/BRKSEC-3300.pdf

Also, you may be able to setup a prefilter policy to Fastpath the LACP traffic (with an ethertype ACL) s that it is not inspected by Snort and therefore not affected by Snort restarts.

 

Thank you for your feedback.

Regarding fastpath rules, I've already checked and I didn't find any possibilities for creating an ACL based on etherttype (0x8809 for LACP)

As shown on screensot below, I can filter on Network (IP), VLAN TAG and TCP/UDP port number but nothing regarding ethertype

 

Do you have any other idea or may be I'm wrong  ?

 

Thanks a lot.

 

prefilter-rule.png

Prefilter ACLs for ethertypes can be created using a Flexconfig configuration.

Something like this:

access-list 101 ethertype permit 0x8809
access-group 101 in interface <your nameif>

Generally they use the same syntax as ASA ACLs since it is the LINA subsystem that processes them. Thus you can refer to the ASA command reference for the correct syntax:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/a1.html#pgfId-1598101

Many thanks Marvin for your help.

 

Have a nice day

Review Cisco Networking for a $25 gift card