Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
676
Views
0
Helpful
4
Replies

ASA with SFR module stops traffic during policy installiation

Kanan Huseynli
VIP
VIP

‎10-13-2017 03:45 AM - edited ‎02-21-2020 06:29 AM

Hi firewall lowers,

I have following issue: when deploying policy from FMC ASA firewall module stops data traffic.Version of devices is 6.1.0-330. ASA version is 9.5(1).

Although I have fail-open action under classmap.

policy-map global_policy
 description flow_export_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  inspect http
 class firepower_class_map
  sfr fail-open
 class global-class
  flow-export event-type all destination 172.30.30.131
 class class-default
!

 

What could be reason or what action must be taken? May be SFR does not know about fail-open option of ASA (honestly,I don't know achitecture, so may be it must be somehow enabled in SFR or via FMC)

 

thanks in advance,

 

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

Labels:
0 Helpful
4 Replies 4

GRANT3779
Spotlight
Spotlight

‎10-13-2017 04:02 AM

Hi,

 

Are you blocking traffic somehow within the ACP you have pushed out to the sensor? Or was this working and suddenly traffic just flowing through ASA?

I had an issue within the past few weeks at our DC which sounds similar to yours. Traffic just stopped flowing. I removed the policy map entry for FirePOWER and traffic flowed again.

 

TAC advised I had hit bug - something related to snort segfaults.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvd55859

 

Although I see your version is on the "known fixed releases".

 

I would advise moving to 6.2.2 is possible and maybe log with TAC if your ACP looks OK.

0 Helpful

Kanan Huseynli
VIP
VIP
In response to GRANT3779

‎10-13-2017 04:17 AM - edited ‎10-13-2017 04:18 AM

I have block rules in ACP, btw, problem resolves some time later,it seems this happens due to snort restart (as I understand from cisco docs this is "engine" for forwarding inside SFR). What insterested for me is why module and/or ASA stops traffic while I configured fail-open.

 

regards,

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

0 Helpful

GRANT3779
Spotlight
Spotlight
In response to Kanan Huseynli

‎10-13-2017 04:20 AM

This is why I think it might be a bug.

I also had the sfr fail-open but traffic just stopped completely.

 

Do you have contract to raise TAC case?

0 Helpful

Kanan Huseynli
VIP
VIP
In response to GRANT3779

‎10-13-2017 04:39 AM

Yes, we have.

Additional info: device is 5508 and deployment is router mode,may be this is the cause?

I also searching for answer in docs,because some hours later I saw smth about this.

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card