06-21-2019 07:58 AM - edited 02-21-2020 09:14 AM
Hi everyone,
I'm experiencing an issue with a FPR4120 chassis where I've installed a FTD software (release 6.2.3.7).
FTD is deployed inline for working as an IPS with bypass interfaces;
This FTD has 2 inlinesets , the 1st one connected to a nominal chain and the second one to a backup chain.
On these chains I get internet access, Firewalls, switches, ReverseProxy server and Inline Bypass TAP where FTD is connected, and where Internet traffic pass through all these equipments.
The objective is to protect web servers deployed "behind" this architecture.
But when doing some tests, for example when reapplying ACP, Intrusion Policies, I encounter an issue due to LACP packet lost. Network traffic that was passing on nominal chain switches to backup chin probably due to this LACP packet lost !!
Do you know if reapplying ACP, Intrusion, ... policies from Firepower Management Center, FTD can lose a few packets ?
I've read on differents links that Cisco was aware of this bug before 5.3.1.1 release (link below), but is it still the same behaviour with 6.2.3.7 ??
https://www.cisco.com/c/en/us/support/docs/security/sourcefire-firepower-8000-series-appliances/117897-cinfig-sourcefire-00.html
Many thanks for your help !!!
06-21-2019 07:28 PM
Yes there is risk of packet loss during policy deployments and rule updates, especially for versions prior to 6.2.3. This is mostly due to Snort restarts.
The behavior has improved in 6.3 and 6.4 (and the deploy warns you if your objects being deployed may cause traffic interruption).
See slide 142 onward here for more details:
https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2019/pdf/BRKSEC-3300.pdf
Also, you may be able to setup a prefilter policy to Fastpath the LACP traffic (with an ethertype ACL) s that it is not inspected by Snort and therefore not affected by Snort restarts.
06-24-2019 04:01 AM
Thank you for your feedback.
Regarding fastpath rules, I've already checked and I didn't find any possibilities for creating an ACL based on etherttype (0x8809 for LACP)
As shown on screensot below, I can filter on Network (IP), VLAN TAG and TCP/UDP port number but nothing regarding ethertype
Do you have any other idea or may be I'm wrong ?
Thanks a lot.
06-24-2019 06:18 AM
Prefilter ACLs for ethertypes can be created using a Flexconfig configuration.
Something like this:
access-list 101 ethertype permit 0x8809 access-group 101 in interface <your nameif>
Generally they use the same syntax as ASA ACLs since it is the LINA subsystem that processes them. Thus you can refer to the ASA command reference for the correct syntax:
06-24-2019 11:33 PM
Many thanks Marvin for your help.
Have a nice day
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide