Solved: What version of ASA, SFR and

hoffa2000 · ‎09-13-2015

Hi

I've had a serious problem over the past few days. One of my Firepower modules in a active/standby inline fail-open set of ASA5525-Xs stopped passing traffic on two occasions, immediate solution was to fail over to the standby 5525 but failing back to the primary 5525 stopped traffic once more.

I'm certain it's the Firepower module that's causing the problem. I've got a selective ACL sending some internal subnets to the module, skipping others and an ANY ANY at the end. Those subnets skipped by the ACL are reachable, the one sent to the module are not.

During the outage my Defence Center doesn't show anything out of the ordinary. I'm running 5.4.0.3-37 on the modules and 5.4.1.2 on the DC.

First question would be if anyone has heard of this before? And second if there is some way for me to trouble shoot this further?

Regards

/Fredrik

Justin Walker · ‎09-19-2015

What version of ASA code are you currently running?

I have had this happen with the file policy configured with the "Inspect Archives" option checked. https://tools.cisco.com/bugsearch/bug/CSCut39253/?reffering_site=dumpcr

I have also had this happen with an ASA configured with the in the monitor-only mode: https://tools.cisco.com/quickview/bug/CSCus15229

I've had pretty good luck with ASA code 9.4.1 and the most recent updates of both the FirePOWER Sensor code and FireSIGHT management code.

View solution in original post

Justin Walker · ‎09-19-2015

What version of ASA code are you currently running?

I have had this happen with the file policy configured with the "Inspect Archives" option checked. https://tools.cisco.com/bugsearch/bug/CSCut39253/?reffering_site=dumpcr

I have also had this happen with an ASA configured with the in the monitor-only mode: https://tools.cisco.com/quickview/bug/CSCus15229

I've had pretty good luck with ASA code 9.4.1 and the most recent updates of both the FirePOWER Sensor code and FireSIGHT management code.

hoffa2000 · ‎10-06-2015

Hi Justin.

Very interesting reading. A verified bug matching a problem is always promising. Since reading this I've promptly disabled the "Inspect Archive" option. I'm running ASA version 9.3(3) by the way.

Update: Since disabling the Inspect Archive feature I haven't had any more lock ups. There is also a 5.4.0.4 release for the SFR modules that promises to fixhe bug but I haven't updated yet.

/Fredrik

wigevicisco · ‎10-19-2015

Hi Fredik,

Have you got NFE port Down in the alarms? it happens to me and a reboot helped me over it. I had been through a troubleshooting proccess with a TAC Ing and found out major problems with our hardware itself.

Hope it helps,

Wilson

hoffa2000 · ‎10-20-2015

Hi

I can't say I recognize that message. My logs at the time the problems occurred were pretty silent

/Fredrik

Danilo Molini · ‎11-13-2015

Hi all.

I've also had this problem with archive inspection (bug id CSCut39253) and I solved it upgrading both sfr and firesight management center with latest release (5.4.0.4 for sfr and 5.4.1.3 for firesight management center). Upgrading only sfr to latest release didn't solve the problem for me.

After this upgrade, I enabled archive inspection and no other hang happened on our sistems (6 sfr module)

Danilo

CRadoumis · ‎11-13-2015

I have had this problem twice now on two different ASAs without as inspection policy, and in inline fail-open mode. A reboot did solve the problem but I haven't found the reason for the failure, nor a non disruptive solution.

Danilo Molini · ‎11-13-2015

What version of ASA, SFR and DC do you use?

CRadoumis · ‎11-13-2015

ASA: 9.4(1)

sfr: 5.4.0.2-33

DC: 5.4.1.1

SFR module stopped passing traffic