Web servers issue after migrating from ASA to FTD

S891 · ‎02-13-2022

I migrated the firewall configuration from ASA to FTD context. Firepower is only doing firewall servcies and we do not have any Inspection or web filterign turned on. After the migration the web services stopped working. We are not doing any ssl decryption/encryption on FTD. The F5 loadbalancer which is in front of the firewall is showing ssl communication error with the backend servers which are behind FTD. We checked for all obvious possibilities including policy-map, threat-detection, timeouts but there is nothing that could point to the issue.

Since the FTD is only providing firewall service why would there be a difference in behaviour compared to ASA.

if anybody has faced similar issue or can share some insight it would be helpful

Udupi Krishna. · ‎02-14-2022

To rule out if there is an issue caused by FTD, for testing "only" create a bi-directional pre-filter ACL with "fastpath" action with necessary IP address and see if that makes a difference.

Aref Alsouqi · ‎02-14-2022

Personally I never ran into this, but from your description it seems that the F5 is not able to reach to the web servers. I would check the NAT rules if you are using any, and the ACL on the firewall, maybe something basic missing. If all looks good, then I would enable the packet capture on the external interface connected to the F5, as well as on the internal connected to the web servers and check the flows. I would also run packet tracer to simulate the flow and see why it would fail.