cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
277
Views
0
Helpful
3
Replies

Issues with WSA whan FTD IPS is enabled

tahscolony
Level 1
Level 1

I have a new instance on a 3120 with an inline pair, configured on a transparent FTD. It is a direct replacement for our Firepower 7125 appliance.  We have a failover pair of ASA5555-X, one currently runs through a 7125 with an inline pair in front (Outside) and an inline pair behind (Inside). Has been working great this way for years, saved us from all sorts of attacks over the years.

I swapped the inline pairs from the other 7125 to the 3120, using the same policies on the FTD as on the 7125 per the FMC, running the latest 7.4.2 code.  The only difference is the hardware and software, otherwise the rules are the same.  When I do a failover active to push traffic through th enew FTD, anything that uses SSO or MFA, or similar authentication via an external site, fails, cannot be reached. Ironically, IPChicken.com cannot be reached either.  If I remove myself from the WCCP and use the ASA NAT instead, everything works as it should. Another thing I noticed, which is alarming is that almost all the connections coming from the WSA are HTTP.  I see very few 443 connections, yet almost all sites should be 443.

One thing I have not done is to clear translations on the ASA. The WSA uses one IP for everything, so is translated to an external IP.   I will give that a try later during my test window.  Aside from that, I am STUMPED!

3 Replies 3

ccieexpert
Spotlight
Spotlight

have you looked at the 3120/FMC/FDM logs to see wsa connections are allowed or denied?

the inline pair should be pretty transparent provided that you are allowing traffic...

you should take a packet capture on both the ASA , and 31xx inside and outside to see the packets are going out and coming backup.. so that the flow can be traced..

I have all logging enabled on the FMC, and I am not seeing anything specific being blocked. I opened a TAC case for both the FTD and WSA and having to escalate it since I can't seem to get either side to setup the required meetings to get packet captures going.  The one time I did, the tech got confused because I am running Multi Instance Chassis and had to find a different tech and that is where it still sits.

tahscolony
Level 1
Level 1

I took the inside inline pair out of the equation, that resolved the issue. Going to create a new instance that looks at files and malware, ignore geoblocking to let the outside handle all that, and use that to look at the inside interface from the firewall.   If what I have been told is correct, I just need a rule to allow WCCP through at the top.    If I am reading this correctly, it should be inside zone > firewall zone > application WCCP allowed.

Review Cisco Networking for a $25 gift card