collapse

Search


User Info

 
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Author Topic: SFR monitor only on ASA 5585-X  (Read 11692 times)

Offline gvoden

  • Cisco Newbie
  • *
  • Posts: 23
  • Reputation: 4
  • Certification: N/A
SFR monitor only on ASA 5585-X
« on: March 27, 2016, 01:49:06 PM »
I am trying to use my ASA 5585-X as a pure sniffer where it sends all traffic to the SFR module without having to use the policy map redirect method.

I am following this doc:
You are not allowed to view links. Register or Login

When I enter the below command at interface level it's all good:
traffic-forward sfr monitor-only

However doing a "show run" doesn't list that command and even though traffic is received on the physical port it does not get processed.
Does it matter which ASA ports I am using?

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 401
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
  • Certification: CCIE
Re: SFR monitor only on ASA 5585-X
« Reply #1 on: March 27, 2016, 10:17:28 PM »
Does Firepower mgmt center does not see traffic from the FP module? I assume you already have FP added as a device on mgmt center, as well as having ASA running in transparent single-context mode. I don't believe which interface you use matters.
Below is a link to discussion similar to what you are trying to do if that helps.

You are not allowed to view links. Register or Login

Offline gvoden

  • Cisco Newbie
  • *
  • Posts: 23
  • Reputation: 4
  • Certification: N/A
Re: SFR monitor only on ASA 5585-X
« Reply #2 on: March 28, 2016, 01:40:22 AM »
So it looks like this is a bug in the code for the ASA - I am on 9.3.2 and entering the command "traffic-forward sfr monitor-only" does not actually apply to the configuration.

When I do "show run" the command does not appear under the interface config. It turns out this is fixed in ASA code 9.5.2

You are not allowed to view links. Register or Login

I upgraded one of my spare boxes to 9.5.2 and now I see the "traffic-forward" command applied in the configuration. Next step will be to send SPAN traffic to make sure it actually works.

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 401
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
  • Certification: CCIE
Re: SFR monitor only on ASA 5585-X
« Reply #3 on: March 31, 2016, 08:40:36 PM »
Bug sounds about right.. Thanks you sharing the resolution.

Offline gvoden

  • Cisco Newbie
  • *
  • Posts: 23
  • Reputation: 4
  • Certification: N/A
Re: SFR monitor only on ASA 5585-X
« Reply #4 on: April 08, 2016, 05:37:38 AM »
Just sent SPAN traffic to the 5585-X and it works fine - FirePOWER can identify the app traffic without issues.

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 401
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
  • Certification: CCIE
Re: SFR monitor only on ASA 5585-X
« Reply #5 on: April 10, 2016, 09:15:37 PM »
Thanks for an update gvoden.  :D

 

SimplePortal 2.3.7 © 2008-2024, SimplePortal