01-04-2016 12:20 AM
Hello all,
I have an issue in the ASDM event-logging "Real Time Eventing"
The issue is that it lacks, real time eventing!
I had to check why a certain site is not reachable with the browser test. When I tried to check the logging I didn't see anything with the specific source address "Initiator IP=192.168.41.61" so I tried a telnet session in order to test connectivity to the specific destination which is successful however in the logging there are still no hits! On the default rule out I have logging enabled.
Everything seems to be up and running and I see hits on my service-policy SFR which is increasing as well.
During the browser I don't see any drop/reset-drop counter increasing.
wamajspk0002# show service-policy sfr
Global policy:
Service-policy: global_policy
Class-map: SFR
SFR: card status Up, mode fail-open
packet input 143861065, packet output 143862856, drop 2674, reset-drop 4734
I this a bug or normal behavior?
01-18-2016 06:59 AM
Hi,
Could you check if you have enabled "logging at the end of connection" in the access control rule.
Thanks,
Ankita
04-17-2016 02:24 PM
04-17-2016 02:24 PM
04-18-2016 06:13 AM
Hi,
That is expected . The traffic which is being dropped by SFR and it requests ASA to do that , the drop counter may increase.To confirm you can run the command : show service-policy sfr like multiple times and see if the drop bytes are increasing .
You can run the : show asp drop command on ASA and see under what category its being dropped.
The doc explains it further :http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/asdm72/firewall/asa-firewall-asdm/modules-sfr.pdf
Check page 28 and 29.
Regards,
Aastha Bhardwaj
Rate if that helps!!!
04-18-2016 10:09 AM
Perhaps I should clarify, the ASDM logs the SFR drops fine, however the FirePower Monitoring (ASDM -> Monitoring -> FirePowerMonitoring ->Real-time Eventing) is blank, where it should show firepower event information (according to the docs) with details as to if it matched a policy and what action was taken and why. (i.e. matched inbound access policy, blocked due to URL match of Global-Blacklist).
Without this, it makes the firepower module next to useless, as you can't properly tune your firepower access policy and enable/disable various signatures & URLs. The ASA event only gives you the L4 flow info, not the FirePower event info.
05-02-2016 06:45 AM
Hello,
I just encountered the same issue, we have 2 ASAs with identical Software and almost identical confguration. On one of them, the Logging is working fine, on the other one I see nothing. I am going to open a TAC on this, and I will share my findings.
05-05-2016 08:13 PM
The TAC has asked me to reinstall the patches I applied..we'll see if this solves it.. I also have the problem where one works and one doesn't. Go figure.
05-20-2016 08:33 AM
Hi,
So, at first I was given a surprised tone, as this bug was supposed to be fixed in v.6.0. After that, the TAC sent me a workaround, but as it involved deleting some files and restarting services through the shell, I do not feel comfortable in sharing it as a works-for-all solutions, and definitelly not one to "just try".
Anyway, it worked for me, after the TAC analysed the troubleshooting output from the Firepower. I can only recommend to open a TAC, and also include a screenshot right away. The more incidents are logged, the faster should a corrected software version come out.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide