Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
949
Views
0
Helpful
3
Replies

Temporary loss of internet

Go to solution
darin.gottman1
Level 1
Level 1

‎05-19-2017 08:04 AM - edited ‎03-12-2019 06:24 AM

Every so often when we apply SourceFire policies to our firewalls there will be a temporary (approximately 5 minutes) loss of all internet traffic.  Does this happen to anyone else?  Any idea what could be the cause?  I'd say it happens about 10% of the time.  Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Veronika Klauzova
Cisco Employee
Cisco Employee

‎05-21-2017 04:03 AM

Hello Darin,

from provided description this might be caused by specific configuration change that is done to Access Control Policy bundle. Some configuration settings requires snort/detection engine restart which will cause network disruption, with this in mind temporary network outage can be expected. But there is opportunity to avoid such network interruption by adjusting ACP advance settings tab, there is option "Inspect traffic during policy apply" that can allow you to say whether traffic should be inspected or not during ACP apply.

Documentation reference:

http://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/policy_management.html#concept_33516C5D6B574B6888B1A05F956ABDF9

Best regards,

Veronika

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Veronika Klauzova
Cisco Employee
Cisco Employee

‎05-21-2017 04:03 AM

Hello Darin,

from provided description this might be caused by specific configuration change that is done to Access Control Policy bundle. Some configuration settings requires snort/detection engine restart which will cause network disruption, with this in mind temporary network outage can be expected. But there is opportunity to avoid such network interruption by adjusting ACP advance settings tab, there is option "Inspect traffic during policy apply" that can allow you to say whether traffic should be inspected or not during ACP apply.

Documentation reference:

http://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/policy_management.html#concept_33516C5D6B574B6888B1A05F956ABDF9

Best regards,

Veronika

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Veronika Klauzova

‎05-21-2017 05:59 AM

Veronike - please correct me if I am wrong; but I believe any policy deployment that includes Snort rule updates will require a restart of the Snort engine and thus cause a brief traffic disruption.

0 Helpful

Go to solution
Veronika Klauzova
Cisco Employee
Cisco Employee
In response to Marvin Rhoads

‎05-22-2017 02:40 AM

Marvin,

that's correct and one of very great example's.

This can be confirmed by performing IPS update along with policy bundle re-apply action in lab. First new SRU will be downloaded from Cisco owned download server, SRU will be installed and afterwards policy reapplied from FMC down to sensor. What we can observe during this process is that whenever detection engine restarts, it's process it will be changed and during this time traffic disruption will be observed, just note that during reload of the detection engine process ID would remain same and traffic will be process without interruption. 

Demonstration from lab environment:

> expert
sudo admin@fmc:~$ sudo su
root@fmc:/Volume/home/admin# head /var/sf/detection_engines/0b93c184-34ad-11e7-ab1b-7f2c11b82031/ngfw.rules
#### ngfw.rules
##############################################################################
#
# AC Name : new
# Policy Exported : Mon May 22 08:19:01 2017 (UTC)
# File Written : Mon May 22 08:19:37 2017 (UTC)
#
# DC Version : 6.2.0
# SRU : 2016-03-28-001-vrt
# VDB : 271
root@fmc:/Volume/home/admin# pmtool status | grep -i "de,snort"; date 
0b93c184-34ad-11e7-ab1b-7f2c11b82031-d01 (de,snort) - Running 9542 --> process ID of detection engine before any policy changes and before SRU update
0b93c184-34ad-11e7-ab1b-7f2c11b82031-d02 (de,snort) - Running 9543
0b93c184-34ad-11e7-ab1b-7f2c11b82031-d03 (de,snort) - Running 9544
0b93c184-34ad-11e7-ab1b-7f2c11b82031-d04 (de,snort) - Running 9545
Mon May 22 08:53:31 UTC 2017
root@fmc:/Volume/home/admin#
root@fmc:/Volume/home/admin#
root@fmc:/Volume/home/admin#
Outputs after SRU update and policy reapply is being pushed down to sensor:
root@fmc:/Volume/home/admin#
root@fmc:/Volume/home/admin# pmtool status | grep -i "de,snort"; date
0b93c184-34ad-11e7-ab1b-7f2c11b82031-d01 (de,snort) - Running 22575 --> process ID changed after detection engine restart
0b93c184-34ad-11e7-ab1b-7f2c11b82031-d02 (de,snort) - Running 22576
0b93c184-34ad-11e7-ab1b-7f2c11b82031-d03 (de,snort) - Running 22577
0b93c184-34ad-11e7-ab1b-7f2c11b82031-d04 (de,snort) - Running 22578
Mon May 22 09:29:46 UTC 2017
root@fmc:/Volume/home/admin# head /var/sf/detection_engines/0b93c184-34ad-11e7-ab1b-7f2c11b82031/ngfw.rules
#### ngfw.rules
##############################################################################
#
# AC Name : new
# Policy Exported : Mon May 22 09:25:27 2017 (UTC)
# File Written : Mon May 22 09:26:32 2017 (UTC)
#
# DC Version : 6.2.0
# SRU : 2017-05-18-001-vrt --> new SRU pushed to detection engine
# VDB : 271
root@fmc:/Volume/home/admin#

Best regards,

Veronika

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card