Symptom

DCERPC traffic is dropped after upgrade to snort3 due to pinhole timeout. No blocked event seen in the system support trace or firewall engine debug.

Conditions

No blocked event seen in the system support trace or firewall engine debug. 192.0.2.44 64627 -> 203.0.113.17 135 6 AS=0 ID=3 GR=1-1 Packet 782: TCP ***A****, 06/14-00:18:47.159934, seq 1918060422, ack 1076697247, dsize 0 192.0.2.44 64627 -> 203.0.113.17 135 6 AS=0 ID=3 GR=1-1 AppID: service: DCE/RPC(603), client: (0), payload: (0), misc: (0) 192.0.2.44 64627 -> 203.0.113.17 135 6 AS=0 ID=3 GR=1-1 Firewall: allow rule, 'FPIL_to_FPIL_Tin_App_SQL_Biztalk', allow 192.0.2.44 64627 -> 203.0.113.17 135 6 AS=0 ID=3 GR=1-1 Policies: Network 0, Inspection 0, Detection 2 192.0.2.44 64627 -> 203.0.113.17 135 6 AS=0 ID=3 GR=1-1 Verdict: pass 192.0.2.44 64628 -> 203.0.113.17 52222 6 AS=0 ID=3 GR=1-1 Packet 783: TCP ***AP***, 06/14-00:18:47.159934, seq 3336459983, ack 1663209489, dsize 204 192.0.2.44 64628 -> 203.0.113.17 52222 6 AS=0 ID=3 GR=1-1 AppID: service: DCE/RPC(603), client: (0), payload: (0), misc: (0) 192.0.2.44 64628 -> 203.0.113.17 52222 6 AS=0 ID=3 GR=1-1 Firewall: allow rule, 'FPIL_to_FPIL_Tin_App_SQL_Biztalk', allow 192.0.2.44 64628 -> 203.0.113.17 52222 6 AS=0 ID=3 GR=1-1 Policies: Network 0, Inspection 0, Detection 2 192.0.2.44 64628 -> 203.0.113.17 52222 6 AS=0 ID=3 GR=1-1 Verdict: pass 192.0.2.44 64628 -> 203.0.113.17 52222 6 AS=0 ID=3 GR=1-1 Got end of flow event from hardware with flags 00002801 192.0.2.44 64628 -> 203.0.113.17 52222 6 AS=0 ID=3 GR=1-1 Rule Match Data: rule_id 0, rule_action 0 rev_id 0, rule_flags 2 192.0.2.44 64628 -> 203.0.113.17 52222 6 AS=0 ID=3 GR=1-1 Received EOF, deleting the snort session 192.0.2.44 64628 -> 203.0.113.17 52222 6 AS=0 ID=3 GR=1-1 Deleting Firewall session FTD with snort3 enabled. NAP policy enabled. Connection is closed due to pinhole timeout. Jun 14 2022 00:57:42 firepower : %FTD-6-302013: Built inbound TCP connection 33412 for FPIL_DC1QA_TinApp:192.0.2.44/64627 (192.0.2.44/64627) to FPIL_DC1QA_TinSQL:203.0.113.17/135 (203.0.113.17/135) Jun 14 2022 00:57:43 firepower : %FTD-6-302013: Built inbound TCP connection 19415 for FPIL_DC1QA_TinApp:192.0.2.44/64628 (192.0.2.44/64628) to FPIL_DC1QA_TinSQL:203.0.113.17/52222 (203.0.113.17/52222) Jun 16 2022 00:57:47 firepower : %FTD-6-302014: Teardown TCP connection 33412 for FPIL_DC1QA_TinApp:192.0.2.44/64627 to FPIL_DC1QA_TinSQL:203.0.113.17/135 duration 0:00:05 bytes 3101 TCP FINs from FPIL_DC1QA_TinApp Jun 14 2022 00:57:47 firepower : %FTD-6-302014: Teardown TCP connection 19415 for FPIL_DC1QA_TinApp:192.0.2.44/64628 to FPIL_DC1QA_TinSQL:203.0.113.17/52222 duration 0:00:04 bytes 8447 Parent flow is closed After this the rest of the packets are dropped due to (tcp-not-syn) First TCP packet not SYN. Jun 14 2022 00:57:47 firepower : %FTD-6-106015: Deny TCP (no connection) from 192.0.2.44/64628 to 203.0.113.17/52222 flags PSH ACK on interface FPIL_DC1QA_TinApp

Workaround

Create a prefilter rule to bypass the NAP policy. Dowgrade to snort2

Further Problem Description