Press J to jump to the feed. Press question mark to learn the rest of the keyboard shortcuts
1

Difficult Problem on Firepower 4150

I'm trying to troubleshoot a problem where a database server is failing to send transaction logs from one server to another. Basically two devices were connected to a 5580 on different interfaces, and permitted to speak to each other with relevant rules. I've replaced this 5580 with a 4150 pair, and the only issue I've run into is that some transaction logs are not being sent between those two servers. To try and isolate the issue, I temporarily put a permit any [interfaces] any [src] any [dst] everywhere. However the 4150 STILL shows that the packets are being blocked in the connection events log for tcp 1521 between the two servers. I can't get my head around this, how can anything be blocked if my first rule in the list is permit any any. Can someone try explain me how that is even possible?

PS: There is absolutely no asymmetric routing going off here.

9 comments
57% Upvoted
What are your thoughts? Log in or Sign uplog insign up
level 1

See what Snort is doing with the traffic.

  1. CLI into FTD logical device

  2. Run the following command:

system support firewall-engine-debug

3. Put in the parameters for your traffic 4. You will be able to determine if Snort is dropping the traffic due to a configured rule with this debug output

level 2
A+/N+/S+/CCNA1 point · 3 months ago

https://www.amazon.com/Cisco-Firepower-Threat-Defense-Troubleshooting/dp/1587144808/ref=mp_s_a_1_fkmr0_1?ie=UTF8&qid=1529039844&sr=8-1-fkmr0&pi=AC_SX236_SY340_QL65&keywords=nazmul+cisco+ftd

system support firewall engine debug - this form of troubleshooting nips everything in the bud and helps you get to the root issue very fast...i found it in the ftd book by nazmul, then confirmed its widely used with cisco tac support when i have issues.

level 1

I would try creating a fast path rule so that the connection doesn't get passed through the rest of the firepower packet processing steps. That should eliminate most other features from affecting the traffic flow.

level 2
Original Poster1 point · 3 months ago

fast path rule

Do you know where I can find the 4150 documentation for the fastpath rule.

level 3
Original Poster1 point · 3 months ago

It's okay, I've done it. Testing now.

level 2
Original Poster1 point · 3 months ago

Would you happen to know if there is a way to see on the firepower device if it's the MPF blocking the traffic in the logs? When I do a packet-tracer input command, it actually shows the traffic passing as ACCEPT and FORWARD at the end. But in the actual logs of the firewall, it is showing as packets are being denied.

level 2

Fastpath doesn't work on 4150 platform, you have to use prefilter now.

level 1

ASA software has protocol inspection turned on for port 1521 by default. Protocol inspection is in effect even if you have a rule permitting all access. Try disabling this inspection and see if the connectivity issues are resolved. It is possible that there are commands happening over port 1521 that the protocol inspection does not know how to handle and the connections are being dropped.

More info is available here:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/firewall/asa-firewall-cli/inspect-dbdir.html#83696

level 2

He is using FTD and not ASA, so that configuration guide won't help

@sg4rb0sss - try disabling sqlnet inspection using the following command on your active firewall:

> configure inspection sqlnet disable

If that doesn't help create a packet capture for asp drops so we can see exactly why the traffic is dropped (the following command will capture packet headers for all traffic going from your src to dst port tcp/1521 with max. buffer size of 3MB

> capture ASP-DROP type asp-drop all headers-only buffer 33554432 match tcp host <client-ip> host <server-ip> eq 1521

You can use the "show capture ASP-DROP" command to verify if anything is captured. In case you are running an older version ( < 6.2.3) do NOT clear the capture using "capture ASP-DROP /clear" when the buffer is full... there is a bug that will cause the firewall to reboot... if you need to clear the buffer delete the capture using "no capture ASP-DROP" command.

Community Details

132k

Subscribers

1.1k

Online

###Enterprise Networking Routers, switches and firewalls. Network blogs, news and network management articles. Cisco, Juniper, Brocade and more all welcome.

Create Post
r/networking Rules
1.
Rule #1: No Home Networking.
2.
Rule #2: No Certification Brain Dumps / Cheating.
3.
Rule #3: No BlogSpam / Traffic re-direction.
4.
Rule #4: No Low Quality Posts.
5.
Rule #5: No Early Career Advice.
6.
Rule #6: Educational Questions must show effort.
Cookies help us deliver our Services. By using our Services or clicking I agree, you agree to our use of cookies. Learn More.