I wanted to document a recent issue that I encountered with a Cisco Firepower implementation. The configuration is a pair of Cisco ASA 5545-X firewalls running the Firepower Services Modules and managed by the virtual edition of the Firepower Management Center. All elements were running 6.2.0 images. The network was very straight forward inside/outside configuration.
Initially, I had the Network Discovery policy set up using the “trust” zone and the “IPv6-any”, “IPv4-Private-10.0.0.0-8”, “IPv4-Private-172.16.0.0-12”, and “IPv4-Private-192.168.0.0-16” networks. This was picking up random IPv6 traffic from hosts that were running an IPv6 stack at about 1 every 20 minutes or so, but it was not collecting the IPv4 hosts.
After trying some different settings, including just the “trust” zone by itself, and speaking with TAC, I was able to get it working by removing the zone, and instead specifying the networks as “any”. This is not the expected behavior, and there is now a bug ID assigned. Once the bug is published, I’ll update this post with a link, but for now, the resolution is to specify the RFC 1918 networks that are applicable to the environment as the networks field, but to leave the zone field blank.
Update: CSCve31929 was published on May 18, 2017.