Yes logging is on. The Event were working. They stop about 10 days ago

Hi,

I have same problem, anything perhaps OK but cannot show traffic. if I using firewall transparent Firesight can show traffic but still one error when I check command:

show service-policy sfr

Service-policy: global_policy
Class-map: sfr
SFR: card status Up, mode fail-open monitor-only
packet input 0, packet output 0, drop 0, reset-drop

If I change to router mode anything perhaps OK but no traffic show, no record show and still error above

show service-policy sfr

Service-policy: global_policy
Class-map: sfr
SFR: card status Up, mode fail-open monitor-only
packet input 0, packet output 0, drop 0, reset-drop

Please Help me!

Hi ,

Have you created an access-list to redirect the traffic from ASA to SFR , check the hitcounts on the access-list , if we dont see any hitcounts on access-list then in that case the ASA itself is not pushing any traffic to SFR , I am assuming the basic connectivity have already been checked and the management interface on ASA is up and running ?

Regards,

Aastha Bhardwaj

Rate if that helps!!!

Hi jseidl

can You tell Me the corrupted database file name? it can be asasfr-5500x-boot-5.3.1-152.img or asasfr-sys-5.3.1-155.pkg or firesight management on esxi. I will download it again. 

I cannot open TAC because i haven't contract number.

thank you!

Hi ,

If you are planning to reimage the SFR on ASA , first you would need the .img file.

Detailed procedure : http://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html

Regards,

Aastha Bhardwaj

Rate if that helps!!!

I'm having the same issue (nothing being logged to event dashboards) with a new installation, everything is configured correctly as I can tell. Logging enabled, redirect in place and showing packets.

I have one installation that is working perfectly, and a second one, the problem one with "no data".

What did the TAC do to fix your issue with database or other solution. I have a TAC case open but this was just deployed to production and need to fix asap, and TAC ask some questions then disappeared on me.

Hi jwornstaff

You must sure traffic throught from inside to outside (nat, access list permit from inside to outside). After put a laptop test ping or access internet from inside. traffic will show in dashboards. :)

thanks

Hi Aastha Bhardwaj

I was config the config: 

ciscoasa(config)# access-list sfr_redirect extended permit ip any any

ciscoasa(config)# class-map sfr
ciscoasa(config-cmap)# match access-list sfr_redirect
ciscoasa(config)# policy-map global_policy
ciscoasa(config-pmap)# class sfr
ciscoasa(config-pmap-c)# sfr fail-open
ciscoasa(config-pmap-c)# sfr fail-open monitor-only
ciscoasa(config)# service-policy global_policy global

but no thing can show, can You send to Me the file show running config of your firewall asa.

Thank you!

Thx. I will try to complete your above idea. I am new to this product.

I do have this in the syslog:

Nov 19 2015 13:41:38 Sourcefire3D SF-IMS[31120]: [31240] SFDataCorrelator:MySQLEvent [ERROR] mysql_stmt_prepare failed: 1017: Can't find file: 'rna_flow_stats_1440774000' (errno: 2); cmd: INSERT INTO rna_flow_stats_1440774000 (sensor_id,protocol,initiator_port,responder_port,first_packet,last_packet,packets_sent,packets_recv,bytes_sent,bytes_recv,client_app_version,info,netbios_domain,flow_type,tcp_flags,security_zone_ingress_id,security_zone_egress_id,interface_ingress_id,interface_egress_id,user_id,initiator_ip,responder_ip,src_device_ip,fw_policy_id,fw_rule_id,fw_rule_action,fw_rule_reason,app_proto_id,client_app_id,web_app_id,url_category,url_reputation,fw_monitor_rule_id_1,fw_monitor_rule_id_2,fw_monitor_rule_id_3,fw_monitor_rule_id_4,fw_monitor_rule_id_5,fw_monitor_rule_id_6,fw_monitor_rule_id_7,fw_monitor_rule_id_8,ip_rep_src_dst,ip_rep_layer,ip_rep_category,instance_id,counter,file_count,ips_event_count,initiator_country,responder_country,ioc_count,nf_src_as,nf_dst_as,nf_snmp_in,nf_snmp_out,nf_src_tos,nf_dst_to

The above repeats every minute.

I believe that SFdatacorrelator is running see attached

Hi,

YOu would need to login on the Defense Center via the Cli.

+Ssh to the Defense centre.

++Escalate the the privilge to root.

admin>sudo su

Enter the root password

root>pmtool status |grep -i Down

root>pmtool status |grep SFData

You would need to check the same thing on the Sensor.

Are you initiating some live traffic. can you create a allow rule with Logging enabled on Top on Defense Centre and see if that works.

Regards,

Aastha Bhardwaj

Rate if that helps!!!

That was helpful. Thx

Here is what I have from DC:

root@Sourcefire3D:/Volume/home/admin# pmtool status |grep SFData
SFDataCorrelator (normal) - Running 6052
Command: /usr/local/sf/bin/SFDataCorrelator --nodaemon
PID File: /var/sf/run/SFDataCorrelator.pid
Enable File: /etc/sf/SFDataCorrelator.run

root@Sourcefire3D:/Volume/home/admin# pmtool status |grep -i Down
RUAScheduledDownload - Period 3600 - Next run Thu Nov 19 20:01:15 2015
root@Sourcefire3D:/Volume/home/admin#