Symptom
The mac filter table is incomplete on the Firepower 2100 series platforms.
firepower-2130# connect local-mgmt
firepower-2130(local-mgmt)# show portmanager switch mac-filters
For each port, there should be a corresponding interface MAC entry. In case of transparent mode ASA/FTD, there should be a promiscuous entry to allow traffic for all MAC.
Conditions
This specific issue was observed after configuration sync. The following logs are seen in asa-appagent.log:
Jan 12 05:49:54.739 WARN : [appAgent_hb_sender_thread] : [application_agent_msgHandler.c:6593] : AppAgent Not Registered with MIO.Cannot send heartbeat update
Jan 12 05:49:55.759 WARN : [appAgent_hb_sender_thread] : [application_agent_msgHandler.c:6593] : AppAgent Not Registered with MIO.Cannot send heartbeat update
Jan 12 05:50:02.339 WARN : [appAgent_hb_sender_thread] : [application_agent_msgHandler.c:6593] : AppAgent Not Registered with MIO.Cannot send heartbeat update
Following errors are observed during nic_mode message updates:
Jan 12 05:49:49.629 ERROR : [fover_parse] : [application_agent_interface_commands.c:4870] : AppAgent is not online. Cannot send nic mac filtering message
Jan 12 05:49:49.629 ERROR : [fover_parse] : [application_agent_interface_commands.c:4551] : AppAgent is not online. Cannot send nic mode Message
Jan 12 05:49:49.649 ERROR : [fover_parse] : [application_agent_interface_commands.c:4870] : AppAgent is not online. Cannot send nic mac filtering message
Jan 12 05:49:49.649 ERROR : [fover_parse] : [application_agent_interface_commands.c:4870] : AppAgent is not online. Cannot send nic mac filtering message
Workaround
Increase the heartbeat interval to 6000 and retry-interval to 10:
app-agent heartbeat interval 6000 retry-count 10
This will not cause any adverse impact on the ASA or FTD.
Further Problem Description
