Guest

Preview Tool

Cisco Bug: CSCvu99637 - FTD not sending SGT value in syslog message

Last Modified

Jul 27, 2020

Products (1)

  • Cisco Firepower Management Center

Known Affected Releases

6.4.0.4 6.5.0

Description (partial)

Symptom:
FTD running 6.4.0.4 enforcing traffic based on SGT (IP any any rule, only SGT is used as criteria).

Enforcement is working correctly, FMC correctly shows connection event with Source SGT (see screenshot), however, direct syslog (post-6.3. connection event logging directly from FTD) do not show SGT in the log message.

FW engine-debug for a connection:

xx.xx.xx.xx-8 > xx.xx.xx.xx-0 1 AS 1 I 31 new firewall session
xx.xx.xx.xx-8 > xx.xx.xx.xx-0 1 AS 1 I 31 Starting with minimum 2, 'Allow Access', and SrcZone first with zones 6 -> 15, geo 0 -> 0, vlan 0, inline sgt tag: 50100, ISE sgt id: 18, svc 3501, payload 0, client 2000003501, misc 0, user 9999997, icmpType 8, icmpCode 0
xx.xx.xx.xx-8 >xx.xx.xx.xx-0 1 AS 1 I 31 match rule order 2, 'Allow Access', action Allow
xx.xx.xx.xx-8 > xx.xx.xx.xx-0 1 AS 1 I 31 MidRecovery data sent for rule id: 268444838,rule_action:2, rev id:210947934, rule_match flag:0x2
xx.xx.xx.xx-8 > xx.xx.xx.xx-0 1 AS 1 I 31 HitCount data sent for rule id: 268444838,
xx.xx.xx.xx-8 > xx.xx.xx.xx-0 1 AS 1 I 31 allow action


Syslog message on remote syslog server:

 AccessControlRuleAction: Allow, SrcIP: xx.xx.xx.xx, DstIP: xx.xx.xx.xx, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: inside, EgressInterface: outside, IngressZone: inside, EgressZone: outside, Security Group: Unknown, ACPolicy: EMS Datacenter ACP, AccessControlRuleName: Allow Access, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: ICMP client, ApplicationProtocol: ICMP, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 86, ResponderBytes: 86, NAPPolicy: Balanced Security and Connectivity

Conditions:
FTD with ACP allowing based on SGT Tag
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.