topic ASA 5515 IPS management access in Network Security

ASA 5515 IPS management access

VladimirTetyorkin — Sun, 10 Mar 2019 13:03:01 GMT

Hello!

I can not access to the ASA IPS module.

I try from ASDM. Configuration->IPS. I type username and password and see following message: "Error connecting to sensor. Error loading sensor"

Could you please help me to correct my config?

I have network topology like this

http://www.cisco.com/image/gif/paws/113690/ips-config-mod-01.gif

My config

KR-ASA# sh run int gig 0/5

interface GigabitEthernet0/5

nameif Inside

security-level 100

ip address 172.33.1.253 255.255.255.0 standby 172.33.1.254

interface Management0/0

management-only

no nameif

security-level 0

no ip address

KR-ASA# sh module ips details

App. name: IPS

App. Status: Up

App. Status Desc: Normal Operation

App. version: 7.1(4)E4

Data Plane Status: Up

Status: Up

License: IPS Module Enabled perpetual

Mgmt IP addr: 172.33.1.251

Mgmt Network mask: 255.255.255.0

Mgmt Gateway: 172.33.1.253

Mgmt Access List: 172.33.1.0/24

Mgmt Access List: 172.34.1.0/24

Mgmt web ports: 443

Mgmt TLS enabled: true

KR-ASA# ping 172.33.1.251

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.33.1.251, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 10/10/10 ms

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

Thank you!

ASA 5515 IPS management access

sokakkar — Wed, 11 Sep 2013 18:11:58 GMT

Hi Vladimir,

Here is how packets are going to flow:

- From management machine to IPS

- IPS will reply directly to mgmt machine if it is in same subnet as that of IPS.

- IPS will reply through its DG which is ASA in this case if mgmt machine is not in same subnet as that of IPS and in that case appropriate config would be needed on ASA.

Are you able to ping IPS from mgmt machine?

Check this link and see which scenario suits you (possibly 1):

http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_tech_note09186a0080bd5d03.shtml

Once necessary config is done and in case you get problems while accessing the IPS from ASDM, try following from same machine:

open browser and go to: https://172.33.1.251

HTH.

Regards,

Sourav Kakkar

ASA 5515 IPS management access

VladimirTetyorkin — Wed, 11 Sep 2013 18:24:47 GMT

Hello, sokakkar!

Thank you for the reply!

Yes, scenario 1 is mine.

I can ping IPS from my PC and from ASA. ASA gig 0/5 and IPS are in same subnet - 172.33.1.0/24.

I can access https://172.33.1.251. I see invitation to download asdm|idm software. But I cannot access IPS from this software too.

https://supportforums.cisco.com/thread/2172962

Here is same problem.

I will downgrade java version on my PC and try to access to IPS from ASDM

From this link

-This is one of the issues we are lately seen on the TAC and yes, it is 100% related to the java version on the PC because of the JAVA SSL Client Hello Format.

-Hi Guys, today I solved this issue. The problem is concern to JAVA version. ASDM work ok with java ver 7, but IDM not work with this java version. I downgrade mi java version from 7 to 6 and IDM now lauch from ASDM.

ASA 5515 IPS management access

sokakkar — Wed, 11 Sep 2013 18:41:13 GMT

Hi Vladimir,

Yups, that is one issue which is seen. Java downgrade should fix this. If not, enable java debug logs and paste those here:

Go to control panel->right click java->Open->Advanced->Check all boxes under debugging and click radio button for show console

Run IDM from browser again and collect the data in java console window and paste it here.

Regards,

Sourav Kakkar

ASA 5515 IPS management access

VladimirTetyorkin — Thu, 12 Sep 2013 06:52:08 GMT

Hi, sokakkar!

I will try tomorrow and will let you know about result.

Thank you for the help!

ASA 5515 IPS management access

VladimirTetyorkin — Fri, 13 Sep 2013 12:35:23 GMT

Hi sokakkar!

I've installed java version 6. Everything is fine, I have access to IPS from ASDM. Thank you for the help!

ASA 5515 IPS management access

sokakkar — Fri, 13 Sep 2013 14:24:54 GMT

Hi Vladimir,

Sounds great! You really figured it out yourself!

Please rate the post which provided the solution.

Regards,

Sourav Kakkar