topic IPS don't see any traffic in Network Security

IPS don't see any traffic

Adam David — Sun, 10 Mar 2019 12:22:53 GMT

Hi all,

I’ve configured IPS module in Cisco ASA firewall, unfortunately for unknown reason, I can’t see any network traffic hit the IPS.

I can see the number of packet is increase by issuing “show interface” command, but there is no traffic hit the IPS when I issue “show statistics analysis-engine” command.

IPS-A# sh int gigabitEthernet0/1 | i Total Packets Received

Total Packets Received = 107449498

IPS-A# sh int gigabitEthernet0/1 | i Total Packets Received

Total Packets Received = 107449511

IPS-A# sh stat analysis-engine 
Analysis Engine Statistics
   Number of seconds since service started = 13836300
   The rate of TCP connections tracked per second = 0
   The rate of packets per second = 0
   The rate of bytes per second = 0
   Receiver Statistics
      Total number of packets processed since reset = 0
      Total number of IP packets processed since reset = 0
   Transmitter Statistics
      Total number of packets transmitted = 0
      Total number of packets denied = 0
      Total number of packets reset = 0
   Fragment Reassembly Unit Statistics
      Number of fragments currently in FRU = 0
      Number of datagrams currently in FRU = 0
   TCP Stream Reassembly Unit Statistics
      TCP streams currently in the embryonic state = 0
      TCP streams currently in the established state = 0
      TCP streams currently in the closing state = 0
      TCP streams currently in the system = 0
      TCP Packets currently queued for reassembly = 0
   The Signature Database Statistics.
      Total nodes active = 0
      TCP nodes keyed on both IP addresses and both ports = 0
      UDP nodes keyed on both IP addresses and both ports = 0
      IP nodes keyed on both IP addresses = 0
   Statistics for Signature Events
      Number of SigEvents since reset = 0
   Statistics for Actions executed on a SigEvent
      Number of Alerts written to the IdsEventStore = 0
   Inspection Stats

Please let me know if you need to know more info.

Any advise would be appreciated, thanks.

IPS don't see any traffic

Jennifer Halim — Mon, 20 Jun 2011 07:19:06 GMT

Please check on the IPS itself that you have enabled the Virtual Sensor. It is not enabled by default, and you have to enable it.

IPS don't see any traffic

Adam David — Mon, 20 Jun 2011 09:11:42 GMT

Thanks Jennifer for your prompt reply. I've checked on CSM > Virtual Sensors and found that it already has been assigned to GigabitEthernet0/1 interface.

IPS don't see any traffic

Jennifer Halim — Mon, 20 Jun 2011 12:04:16 GMT

can you also check if under Interface Configuration --> Interfaces --> GigabitEthernet0/1 has also been enabled as well.

IPS don't see any traffic

Adam David — Tue, 21 Jun 2011 03:56:36 GMT

I've checked both and confirmed that GigabitEthernet0/1 has been assigned to the IPS. Attached is the screenshot for your reference. Is there anything else I can do to fix this? Thanks

Interfaces

Virtual Sensors

IPS don't see any traffic

Jennifer Halim — Tue, 21 Jun 2011 05:37:14 GMT

Hmm, that looks like it has been correctly configured.

Can you please share a copy of "show run" from the ASA, and also "show tech" from the AIP module. Thanks.

Re: IPS don't see any traffic

Dustin Ralich — Tue, 21 Jun 2011 13:32:46 GMT

I've checked both and confirmed that GigabitEthernet0/1 has been assigned to the IPS. Attached is the screenshot for your reference. Is there anything else I can do to fix this?

After making this change in CSM, have you submitted and deployed it to the sensor? If not, go ahead and Submit and Deploy, then confirm whether the issue remains.

As Jennifer noted, a 'show tech' command output from the sensor can help confirm this (it will include a 'show stat virtual' command output which will indicate if the sensing interface is in-fact assigned on the live sensor).

Finally, is this AIP-SSM sensor module installed in a standalone ASA or an Active/Standby failover pair? If the latter, then you'll want to ensure that you are working on the module installed in the Active ASA (the AIP-SSM sensor modules do not currently replicate/synchronize their configuration like the ASAs do, and must each be configured).

IPS don't see any traffic

agent2007 — Wed, 29 Jun 2011 13:41:14 GMT

Hi Jenifer,

I have an ssc-5 in an asa 5505 and looks like its not assigned the default sensor. can you please tell me where I change this please

IPS don't see any traffic

agent2007 — Wed, 29 Jun 2011 13:51:09 GMT

its OK I got it 🙂