Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1398
Views
0
Helpful
4
Replies

Unmatched ASA traffic is showing up in the Firepower logs

bascheew
Level 1
Level 1

‎09-01-2016 09:50 AM - edited ‎03-10-2019 06:40 AM

We have a service policy that has a "Do not match" ACL to exempt certain traffic.  This ACL is followed by a Match ACL for all other traffic.  When I test matching traffic on the ASA by using "show service-policy flow..." command I can confirm that the excluded traffic does not match the service policy and other traffic does (see below)

However when I look at the logs on the Firepower, I see the unmatched traffic in the Connection Events log.  If the traffic is excluded by the Service Policy, shouldn't that traffic bypass the Firepower?  Why would I still see it in the connection logs?

Matched traffic:

ASA5516# show service-policy flow ip host 206.15.254.1 host 10.25.10.3
Global policy:
  Service-policy: global_policy
    Class-map: Firepower
      Match: access-list global_mpc
        Access rule: permit ip any any
      Action:
        Output flow:  sfr fail-open
    Class-map: class-default
      Match: any
      Action:

Unmatched traffic:

ASA5516# show service-policy flow ip host 206.15.130.13 host 10.25.70.3
Global policy:
  Service-policy: global_policy
    Class-map: class-default
      Match: any
      Action:

Thanks!

1 person had this problem
Labels:
0 Helpful
4 Replies 4

bascheew
Level 1
Level 1

‎09-01-2016 10:25 AM

I should add, that the traffic that I'm seeing show up in Firepower is SIP traffic.  The "Do not match" ACLs on the service policy are for all IP traffic to and from a group of IPs, so I don't know why SIP traffic would be matching.

0 Helpful

robert.brady
Level 1
Level 1
In response to bascheew

‎10-05-2016 01:20 AM

I am having a very similar issue. About to open a TAC case. Did you get it resolved?

0 Helpful

bascheew
Level 1
Level 1
In response to robert.brady

‎10-05-2016 05:16 AM

No, that traffic is still showing up in the Firepower logs.  Please let me know what the TAC says.  Thanks! 

0 Helpful

Nathan Gagne
Level 1
Level 1

‎02-10-2017 01:09 PM

Not sure if you ever got this resolved, but I came across the same thing and found your post. I'm assuming you added an ACE to the ACL used by the class-map, and were surprised when the Connnection Events in SFR still showed that traffic?

What I found was that you had to do a 'clear conn' to force the flows to use the new settings.  This is somewhat alluded to here:

  • When you make service policy changes to the configuration, all new connections use the new service policy. Existing connections continue to use the policy that was configured at the time of the connection establishment. show command output will not include data about the old connections.

Once I did a 'clear conn', I stopped seeing that traffic in the CE.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card