https://community.cisco.com/t5/network-security/ips-sensor-4260-blocking-isa-trafiic/m-p/1050985#M78236 <HTML><HEAD></HEAD><BODY><P>Thanks for the answer!</P><P></P><P>I have enabled alert sending for every signature that did something to the traffic. but nothing was triggered that denied any attackers.</P><P></P><P>I will use the commands you gave to further troubleshoot.</P><P></P><P>Do you know what could cause a 3737/0 signature with a calculated risk of 95% to droppedPacket, deniedFlow, tcpOneWayResetSent when in the signature actions is just alert and the VS0 should just drop packets when the risk is above 90 % ?</P><P></P><P>Thak you</P></BODY></HTML> Fri, 28 Nov 2008 15:55:09 GMT dragnia_s 2008-11-28T15:55:09Z https://community.cisco.com/t5/network-security/ips-sensor-4260-blocking-isa-trafiic/m-p/1050983#M78231 <P>Hello,</P><P></P><P>I recently installed a 4260 IPS sensor. It is used to inspect traffic between a ISA server and the LAN. The ISA is formed from 3 real servers in NLB. </P><P>Each server is connected to 2 switches through 4 cables 2 in each switch, one in the internet VLAN and one in the IPS VLAN.</P><P>For some reason when i inspect the traffic it blocks the ISA traffic. No signature seems to be triggered but the traffic from the ISA server stops.</P><P> When i capture packets on the vs0 sensor i don't see any traffic from the ISA server for 5 to 10 min and after that it starts again to function. </P><P> The IPS inspects on two redundant pairs traffic that travels from the LAN to the ISA.</P><P></P><P>The IPS versionn is 6.1 E2</P><P></P><P>Any ideeas on what is causing this?</P><P>Thank you!</P> Sun, 10 Mar 2019 11:23:40 GMT https://community.cisco.com/t5/network-security/ips-sensor-4260-blocking-isa-trafiic/m-p/1050983#M78231 dragnia_s 2019-03-10T11:23:40Z https://community.cisco.com/t5/network-security/ips-sensor-4260-blocking-isa-trafiic/m-p/1050984#M78233 <HTML><HEAD></HEAD><BODY><P>There are a number of signatures in the 13xx series which have actions of deny or modify packet inline without a produce alert action. It is possible these are firing (silently).</P><P></P><P>Have you tried looking at 'sh stat denied-attackers' to see if those IPs are being blocked? Also, you can look at 'sh stat virtual-sensor' in the "SigEvent Preliminary Stage Statistics" &amp; "SigEvent Action Override Stage Statistics" areas. Those will tell you which sigs are firing and which actions are being taken. Watch for "deny-packet-inline" &amp; "deny-attacker-inline" to increment.</P></BODY></HTML> Fri, 28 Nov 2008 15:06:21 GMT https://community.cisco.com/t5/network-security/ips-sensor-4260-blocking-isa-trafiic/m-p/1050984#M78233 attmidsteam 2008-11-28T15:06:21Z https://community.cisco.com/t5/network-security/ips-sensor-4260-blocking-isa-trafiic/m-p/1050985#M78236 <HTML><HEAD></HEAD><BODY><P>Thanks for the answer!</P><P></P><P>I have enabled alert sending for every signature that did something to the traffic. but nothing was triggered that denied any attackers.</P><P></P><P>I will use the commands you gave to further troubleshoot.</P><P></P><P>Do you know what could cause a 3737/0 signature with a calculated risk of 95% to droppedPacket, deniedFlow, tcpOneWayResetSent when in the signature actions is just alert and the VS0 should just drop packets when the risk is above 90 % ?</P><P></P><P>Thak you</P></BODY></HTML> Fri, 28 Nov 2008 15:55:09 GMT https://community.cisco.com/t5/network-security/ips-sensor-4260-blocking-isa-trafiic/m-p/1050985#M78236 dragnia_s 2008-11-28T15:55:09Z https://community.cisco.com/t5/network-security/ips-sensor-4260-blocking-isa-trafiic/m-p/1050986#M78240 <HTML><HEAD></HEAD><BODY><P>You are being hit with the default option of the the Event Action Override feature. It adds a 'Deny Packet Inline' action to any signature with a risk of 90-100. Type 'setup' on the sensor, do you see a section like this?</P><P></P><P>service event-action-rules rules0</P><P>overrides</P><P>override-item-status Enabled</P><P>risk-rating-range 90-100</P><P>exit</P></BODY></HTML> Fri, 28 Nov 2008 16:04:12 GMT https://community.cisco.com/t5/network-security/ips-sensor-4260-blocking-isa-trafiic/m-p/1050986#M78240 attmidsteam 2008-11-28T16:04:12Z https://community.cisco.com/t5/network-security/ips-sensor-4260-blocking-isa-trafiic/m-p/1050987#M78243 <HTML><HEAD></HEAD><BODY><P>Yes,</P><P></P><P>the event action override feature is on. But it should just dey packet inline not do a tcpOneWayResetSent or does deny packet inline will trigger all of these actions droppedPacket, deniedFlow, tcpOneWayResetSent.</P><P></P><P>I added an exception for this rule for any attacker that tries this attack on the ISA IP but it didn't help.</P><P></P><P>Is 'setup' the right command to view this? I mostly use the IDM and it shows the event action overide for risk rating above 90% to drop.</P><P></P><P></P></BODY></HTML> Fri, 28 Nov 2008 16:28:49 GMT https://community.cisco.com/t5/network-security/ips-sensor-4260-blocking-isa-trafiic/m-p/1050987#M78243 dragnia_s 2008-11-28T16:28:49Z https://community.cisco.com/t5/network-security/ips-sensor-4260-blocking-isa-trafiic/m-p/1050988#M78248 <HTML><HEAD></HEAD><BODY><P>I can't help you with IDM as we usually use CSM to manage our sensors (many hundreds). You could disable the event action override and see what happens.</P><P></P><P>(via CLI)</P><P>conf t</P><P>service event-action-rules rules0</P><P>overrides deny-packet-inline</P><P>override-item-status Disabled</P><P>exit</P><P>exit</P><P>(yes)</P><P>exit</P></BODY></HTML> Fri, 28 Nov 2008 16:41:00 GMT https://community.cisco.com/t5/network-security/ips-sensor-4260-blocking-isa-trafiic/m-p/1050988#M78248 attmidsteam 2008-11-28T16:41:00Z https://community.cisco.com/t5/network-security/ips-sensor-4260-blocking-isa-trafiic/m-p/1050989#M78252 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>i figured it out, </P><P>the traffic was asymmetric, the same packets were entering on the diffrent pairs because of the Spanning Tree but the ISA was answering just once,</P><P></P><P>This happened when the evasion protection mode was set as strict:</P><P>strict-If a packet is missed for any reason, all packets after the missed packet are not</P><P>processed</P><P></P><P>I configured the sensor to expect asymmetric traffic, not strict</P><P></P><P>service analysis-engine</P><P>virtual-sensor vs0</P><P>inline-TCP-evasion-protection-mode asymmetric</P><P></P><P>and everything worked fine.</P><P>Because the ISA was configured in NLB broadcast mode we couldnt stop the packets from being doubled and sent to the second pair. So finaly I redesigned the network and only one pair is used.</P><P></P><P>thanks for the help!</P><P></P><P></P></BODY></HTML> Thu, 11 Dec 2008 09:05:13 GMT https://community.cisco.com/t5/network-security/ips-sensor-4260-blocking-isa-trafiic/m-p/1050989#M78252 dragnia_s 2008-12-11T09:05:13Z