Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
315
Views
2
Helpful
6
Replies

SFR-module in ASA5555 is set to inactive but some traffic still punted

tlr
Level 1
Level 1

ā€Ž01-25-2024 01:10 AM

Hi.

We have an old ASA5555 (in HA) where we wanted to disable the SFR-module for a couple of reasons. We removed the config for the SFR-module:

class-map FW-VRF-Firepower-ACL
no match access-list Firepower-ACL-VRF-FW
exit
policy-map global_policy
no class FW-VRF-Firepower-ACL
exit
no class-map FW-VRF-Firepower-ACL
clear config access-list Firepower-ACL-VRF-FW

fw-vrf/act/pri# sh service-policy sfr
fw-vrf/act/pri#

But we can still see that alot of UDP-traffic is getting passed over to the SFR-module, The TCP-sessions are not sent to SFR anymore. And if I check the connection-table in the ASA it also states that traffis is passed to a service-module (flags is set to X)

fw-vrf/act/pri# sh conn | i flags X
UDP VOIP 10.19.100.48:5000 DC 10.19.1.73:5100, idle 0:00:43, bytes 93084, flags X
UDP VOIP 10.49.106.138:5000 DC 10.19.1.75:5100, idle 0:00:01, bytes 2374662, flags X

Have anyone encountered this? We would like to remove all traffic from the SFR so that we can commission them completely.  
The ASA5555 is running 9.14.4.23

0 Helpful
6 Replies 6

MHM Cisco World
VIP
VIP

ā€Ž01-25-2024 01:51 AM

Your are right X meanibg the traffic punt to sfr

But it can old conn

Try

clear conn

Then check show conn again 

MHM

tlr
Level 1
Level 1

ā€Ž01-25-2024 05:06 AM

Hi. 

Yepp, that seems to have helped alot. I cleared all the UDP-sessions that were flagged with an X and no new UDP-sessions have been seen in the SFR-logs since then.

But I do see some occasional TCP-session in the SFR-log still, both in our syslog-server and in the FMC. 
I haven't dared to clear the TCP-connections that still have an X yet since I assume that those won't restart instantly. There are some critical systems behind this firewall.
I'm a bit surprised that SFR is still used even after the service-policy is removed.

What would happen if we shutdown the sfr now?

BR
Tobias

0 Helpful

MHM Cisco World
VIP
VIP
In response to tlr

ā€Ž01-25-2024 05:10 AM

I think there is no real data pass but asa keep conn in it database 

This conn will there until idle timeout end or you clear conn manaul 

Then asa start bulid new conn and not pass to sfr.

MHM

0 Helpful

tlr
Level 1
Level 1

ā€Ž01-25-2024 06:02 AM

That would have been logical but I still see this in the FMC so it looks lika traffic is still getting to the SFR. It's not a lot of traffic but I would expect zero traffic.

tlr_0-1706190706344.png

The connection in the ASA look like this.

fw-vrf/act/pri# sh conn addr 10.5.60.31 addr 10.137.0.70 det

TCP DC: 10.5.60.31/62068 SOV: 10.137.0.70/48898,
flags UIOXB , idle 17m46s, uptime 23h37m, timeout 2h5m, bytes 3193
Initiator: 10.5.60.31, Responder: 10.137.0.70

This is what I don't understand. Why is this traffic still passed to the SFR. I can get that the session in ASA is still active since it hasn't been idle for that long, but why do I still see traffic in the SFR. I thought it was only when a new session was set up that traffic was sent to SFR. 
So do you have any idea what would happen if I shutdown the SFR-module shen in this state.

/tobias

 

0 Helpful

MHM Cisco World
VIP
VIP
In response to tlr

ā€Ž01-25-2024 06:35 AM

check it after two hours 
MHM

0 Helpful

tlr
Level 1
Level 1

ā€Ž01-25-2024 07:50 AM - edited ā€Ž01-25-2024 07:52 AM

It's been 10 hours since the change on the service-policy.  "smiley :-)"
But I'll check it tomorrow again. Thanks alot for your advice so far.
/t 

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card