Hello,

tamimkushjar · ‎01-04-2016

Hello all,

I have an issue in the ASDM event-logging "Real Time Eventing"

The issue is that it lacks, real time eventing!

I had to check why a certain site is not reachable with the browser test. When I tried to check the logging I didn't see anything with the specific source address "Initiator IP=192.168.41.61" so I tried a telnet session in order to test connectivity to the specific destination which is successful however in the logging there are still no hits! On the default rule out I have logging enabled.

Everything seems to be up and running and I see hits on my service-policy SFR which is increasing as well.
During the browser I don't see any drop/reset-drop counter increasing.

wamajspk0002# show service-policy sfr

Global policy:
Service-policy: global_policy
Class-map: SFR
SFR: card status Up, mode fail-open
packet input 143861065, packet output 143862856, drop 2674, reset-drop 4734

I this a bug or normal behavior?

ankojha · ‎01-18-2016

Hi,

Could you check if you have enabled "logging at the end of connection" in the access control rule.

Thanks,

Ankita

MARTIN CHONG · ‎04-17-2016

I have the same problem and I've logged EVERYTHING in the Access policy. This is terrible as I can not tune the policy, just see that SFR requests the drop in the ASA logs, but don't know what part of the policy is dropping it.

MARTIN CHONG · ‎04-17-2016

I'm also at the latest patch.

Aastha Bhardwaj · ‎04-18-2016

Hi,

That is expected . The traffic which is being dropped by SFR and it requests ASA to do that , the drop counter may increase.To confirm you can run the command : show service-policy sfr like multiple times and see if the drop bytes are increasing .

You can run the : show asp drop command on ASA and see under what category its being dropped.

The doc explains it further :http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/asdm72/firewall/asa-firewall-asdm/modules-sfr.pdf

Check page 28 and 29.

Regards,

Aastha Bhardwaj

Rate if that helps!!!

MARTIN CHONG · ‎04-18-2016

Perhaps I should clarify, the ASDM logs the SFR drops fine, however the FirePower Monitoring (ASDM -> Monitoring -> FirePowerMonitoring ->Real-time Eventing) is blank, where it should show firepower event information (according to the docs) with details as to if it matched a policy and what action was taken and why. (i.e. matched inbound access policy, blocked due to URL match of Global-Blacklist).

Without this, it makes the firepower module next to useless, as you can't properly tune your firepower access policy and enable/disable various signatures & URLs. The ASA event only gives you the L4 flow info, not the FirePower event info.

lorinc.jan · ‎05-02-2016

Hello,

I just encountered the same issue, we have 2 ASAs with identical Software and almost identical confguration. On one of them, the Logging is working fine, on the other one I see nothing. I am going to open a TAC on this, and I will share my findings.

MARTIN CHONG · ‎05-05-2016

The TAC has asked me to reinstall the patches I applied..we'll see if this solves it.. I also have the problem where one works and one doesn't. Go figure.

lorinc.jan · ‎05-20-2016

Hi,

So, at first I was given a surprised tone, as this bug was supposed to be fixed in v.6.0. After that, the TAC sent me a workaround, but as it involved deleting some files and restarting services through the shell, I do not feel comfortable in sharing it as a works-for-all solutions, and definitelly not one to "just try".

Anyway, it worked for me, after the TAC analysed the troubleshooting output from the Firepower. I can only recommend to open a TAC, and also include a screenshot right away. The more incidents are logged, the faster should a corrected software version come out.

no real time logging on ASDM with Firepower 5.4.1.4-15