https://community.cisco.com/t5/network-security/no-traffic-on-ips-promiscuous/m-p/2065487#M54445 <P>Hi,</P><P></P><P>Have a 5545X with 5545-IPS module. It is up, updateing signatures but there are no packets checked on it. On the sensor side I'm confused that hardware/software version is shown as N/A. ASA config:</P><P></P><P><STRONG><EM>access-list test extended permit ip interface outside any</EM></STRONG></P><P></P><P><STRONG><EM> class-map test-class</EM></STRONG></P><P><STRONG><EM> match access-list test</EM></STRONG></P><P></P><P><STRONG><EM>policy-map global_policy</EM></STRONG></P><P><STRONG><EM> class test-class</EM></STRONG></P><P><STRONG><EM>&nbsp; ips promiscuous fail-open sensor vs0</EM></STRONG></P><P></P><P><STRONG><EM>service-policy global_policy global</EM></STRONG></P><P></P><P></P><P>all <STRONG>show statistics</STRONG> commands (engine, host, etc) on IPS show 0 in packets so it seems like traffic is not passed to IPS from ASA. Global policy output </P><P>on ASA shows the same:</P><P></P><P></P><P><STRONG><EM>Global policy:</EM></STRONG></P><P><STRONG><EM>Service-policy: global_policy</EM></STRONG></P><P><STRONG><EM>Class-map: test-class</EM></STRONG></P><P><STRONG><EM>IPS: card status UP, license status Enabled, mode promiscuous fail-open, sensor vs0</EM></STRONG></P><P><STRONG><EM>&nbsp; packet input 0, packet output 0, drop 0, reset-drop 0</EM></STRONG></P><P></P><P>What can prevent global-policy to do it job?</P><P></P><P>Thank s</P> Sun, 10 Mar 2019 12:48:50 GMT Volodymyr Morskyy 2019-03-10T12:48:50Z https://community.cisco.com/t5/network-security/no-traffic-on-ips-promiscuous/m-p/2065487#M54445 <P>Hi,</P><P></P><P>Have a 5545X with 5545-IPS module. It is up, updateing signatures but there are no packets checked on it. On the sensor side I'm confused that hardware/software version is shown as N/A. ASA config:</P><P></P><P><STRONG><EM>access-list test extended permit ip interface outside any</EM></STRONG></P><P></P><P><STRONG><EM> class-map test-class</EM></STRONG></P><P><STRONG><EM> match access-list test</EM></STRONG></P><P></P><P><STRONG><EM>policy-map global_policy</EM></STRONG></P><P><STRONG><EM> class test-class</EM></STRONG></P><P><STRONG><EM>&nbsp; ips promiscuous fail-open sensor vs0</EM></STRONG></P><P></P><P><STRONG><EM>service-policy global_policy global</EM></STRONG></P><P></P><P></P><P>all <STRONG>show statistics</STRONG> commands (engine, host, etc) on IPS show 0 in packets so it seems like traffic is not passed to IPS from ASA. Global policy output </P><P>on ASA shows the same:</P><P></P><P></P><P><STRONG><EM>Global policy:</EM></STRONG></P><P><STRONG><EM>Service-policy: global_policy</EM></STRONG></P><P><STRONG><EM>Class-map: test-class</EM></STRONG></P><P><STRONG><EM>IPS: card status UP, license status Enabled, mode promiscuous fail-open, sensor vs0</EM></STRONG></P><P><STRONG><EM>&nbsp; packet input 0, packet output 0, drop 0, reset-drop 0</EM></STRONG></P><P></P><P>What can prevent global-policy to do it job?</P><P></P><P>Thank s</P> Sun, 10 Mar 2019 12:48:50 GMT https://community.cisco.com/t5/network-security/no-traffic-on-ips-promiscuous/m-p/2065487#M54445 Volodymyr Morskyy 2019-03-10T12:48:50Z https://community.cisco.com/t5/network-security/no-traffic-on-ips-promiscuous/m-p/2065488#M54447 <HTML><HEAD></HEAD><BODY><P>On the IPS side, is the PortChannel assigned to vs0 ?</P><P></P><P>service analysis-engine</P><P>virtual-sensor vs0</P><P>physical-interface PortChannel0/0</P><P>exit</P><P>exit</P><P></P><P>Regards,</P><P>Sawan Gupta</P></BODY></HTML> Tue, 06 Nov 2012 05:12:35 GMT https://community.cisco.com/t5/network-security/no-traffic-on-ips-promiscuous/m-p/2065488#M54447 sawgupta 2012-11-06T05:12:35Z https://community.cisco.com/t5/network-security/no-traffic-on-ips-promiscuous/m-p/2065489#M54448 <HTML><HEAD></HEAD><BODY><P>Hi Sawan,</P><P></P><P>It is assigned. I have no idea why nothing is matched with my policy, and even access-list shows 0 packet counts.</P><P></P><P>regards,</P><P></P><P>Volodymyr</P></BODY></HTML> Tue, 06 Nov 2012 09:22:43 GMT https://community.cisco.com/t5/network-security/no-traffic-on-ips-promiscuous/m-p/2065489#M54448 Volodymyr Morskyy 2012-11-06T09:22:43Z https://community.cisco.com/t5/network-security/no-traffic-on-ips-promiscuous/m-p/2065490#M54450 <HTML><HEAD></HEAD><BODY><P>You could use following sample config on ASA:</P><P></P><P>class-map all-traffic-class</P><P> match access-list all-traffic</P><P></P><P> policy-map pro-fail-open</P><P> class all-traffic-class</P><P>&nbsp; ips promiscuous fail-open</P><P>&nbsp; set connection advanced-options tmap</P><P></P><P>service-policy pro-fail-open global</P><P></P><P></P><P>Regards,</P><P>Sawan Gupta</P></BODY></HTML> Tue, 06 Nov 2012 12:43:36 GMT https://community.cisco.com/t5/network-security/no-traffic-on-ips-promiscuous/m-p/2065490#M54450 sawgupta 2012-11-06T12:43:36Z https://community.cisco.com/t5/network-security/no-traffic-on-ips-promiscuous/m-p/2065491#M54452 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Can you show access-list all-traffic?</P><P></P><P>Thanks</P></BODY></HTML> Tue, 06 Nov 2012 13:27:20 GMT https://community.cisco.com/t5/network-security/no-traffic-on-ips-promiscuous/m-p/2065491#M54452 Volodymyr Morskyy 2012-11-06T13:27:20Z https://community.cisco.com/t5/network-security/no-traffic-on-ips-promiscuous/m-p/2065492#M54454 <HTML><HEAD></HEAD><BODY><P>Seem like you cannot use interface names in the config and networks should be specified.</P></BODY></HTML> Wed, 02 Jan 2013 14:52:39 GMT https://community.cisco.com/t5/network-security/no-traffic-on-ips-promiscuous/m-p/2065492#M54454 Volodymyr Morskyy 2013-01-02T14:52:39Z