FTD dropped all traffics all of sudden

a12288 · ‎08-22-2022

We switched (pure routing changes) from a pair of ASA5585 to FP4115 v7.0.2 w/ Snort 3, everything was running fine and then all of sudden nothing can pass through FTD. FTD syslog is normal, ASP drop is normal.

We do find that the Snort has been restarted over 100 times when this issue surfaced, and we have to switch back ASA5585.

Has anyone experienced the similar issue on FTD? We have no clue at this moment. Thanks.

Leo

MHM Cisco World · ‎08-22-2022

if all traffic pass through snort then this can happened,
try config Prefilter ACL which make elephant traffic to bypass the Snort
https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/200420-Processing-of-Single-Stream-Large-Sessio.html

https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/212700-configuration-and-operation-of-ftd-prefi.html

Marius Gunnerud · ‎08-22-2022

We have had similar issues with all our client's FTDs after upgrading to 7.0.x. TAC says this is a bug, and that upgrading to 7.1 or greater resolves the issue. Stability wise I think 7.2 is better. Though we do not have any FTDs running this code yet, I have not heard of many big issues with it yet.

--
Please remember to select a correct answer and rate helpful posts

a12288 · ‎08-22-2022

Thanks, can you send me the bug id?

Leo

Marius Gunnerud · ‎08-22-2022

unfortunately I do not have the bug ID as I was not the engineer working with TAC.

--
Please remember to select a correct answer and rate helpful posts

Jitendra Kumar · ‎08-22-2022

Suspecting the below bug. that is fix in 7.1

CSCvy14721

ssl traffic dropped by FTD while CH packet has a destination port no greater than source port

Thanks,
Jitendra