IPv4 hosts not being discovered in Cisco Firepower Management Center 6.2


I wanted to document a recent issue that I encountered with a Cisco Firepower implementation.  The configuration is a pair of Cisco ASA 5545-X firewalls running the Firepower Services Modules and managed by the virtual edition of the Firepower Management Center.  All elements were running 6.2.0 images.  The network was very straight forward inside/outside configuration.

Initially, I had the Network Discovery policy set up using the “trust” zone and the “IPv6-any”, “IPv4-Private-10.0.0.0-8”,  “IPv4-Private-172.16.0.0-12”, and “IPv4-Private-192.168.0.0-16” networks.  This was picking up random IPv6 traffic from hosts that were running an IPv6 stack at about 1 every 20 minutes or so, but it was not collecting the IPv4 hosts.

Firepower Network Discovery Policy
This policy was not working with Firepower 6.2.0 due to the inclusion of the zone in the policy.

After trying some different settings, including just the “trust” zone by itself, and speaking with TAC, I was able to get it working by removing the zone, and instead specifying the networks as “any”.  This is not the expected behavior, and there is now a bug ID assigned. Once the bug is published, I’ll update this post with a link, but for now, the resolution is to specify the RFC 1918 networks that are applicable to the environment as the networks field, but to leave the zone field blank.

Update: CSCve31929 was published on May 18, 2017.