https://community.cisco.com/t5/network-security/blocking-error-msg/m-p/692125#M87205 <HTML><HEAD></HEAD><BODY><P>try connecting with telnet instead of 3-des. Sometimes ARC gets confused with 3-des connect problems and reports an incorrect error. If telnet will work, then we can work on getting the 3-des working. Speaking of 3-des, you did log into the cli, conf t and ssh host 205.170.225.249 command right? That is necessary to get the key so ARC can connect to the router</P></BODY></HTML> Tue, 20 Mar 2007 16:08:03 GMT jlively 2007-03-20T16:08:03Z https://community.cisco.com/t5/network-security/blocking-error-msg/m-p/692120#M87200 <P>I have setup my IDS to manage a router. I have gone through the steps to configure this router through the IDM. I have setup the login profiles, blocking device, and both pre-block and post block ACL. But I get an error on the IDM when looking through the events when it tries to complete a block. The error msg. is " Unable to execute a host block timeout - no blocking interfaces are configured"</P><P></P><P>I am not sure why I am getting this error msg. I think I have gone through all of the cofiguration steps correctly. </P><P></P><P>Thanks for any info. </P><P></P> Sun, 10 Mar 2019 10:31:27 GMT https://community.cisco.com/t5/network-security/blocking-error-msg/m-p/692120#M87200 siscisco05 2019-03-10T10:31:27Z https://community.cisco.com/t5/network-security/blocking-error-msg/m-p/692121#M87201 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>In your 'sh config' output from CLI, does it list the 'block-interfaces <INTERFACE> in'?</INTERFACE></P><P></P><P>Here is the sample example.</P><P></P><P></P><P>user-profiles cisco</P><P>enable-password cisco</P><P>password cisco</P><P>username cisco</P><P>exit</P><P>router-devices 192.168.1.1</P><P>communication telnet</P><P>profile-name cisco</P><P>block-interfaces fastethernet0/0 in</P><P>exit</P><P>response-capabilities block</P><P>exit</P><P></P><P></P><P>Thank you.</P><P></P><P></P><P></P><P>Edward</P></BODY></HTML> Tue, 20 Mar 2007 14:36:39 GMT https://community.cisco.com/t5/network-security/blocking-error-msg/m-p/692121#M87201 edwakim 2007-03-20T14:36:39Z https://community.cisco.com/t5/network-security/blocking-error-msg/m-p/692122#M87202 <HTML><HEAD></HEAD><BODY><P>After you added the pre/post acl names, and the blocking interfae name under the Router Blocking Decive Interface tab, did you apply the settings. In the cli, you can either do a show conf or a show stat net (see below) to verify.</P><P></P><P>qsensor-xxx# sh stat net</P><P>Current Configuration</P><P> LogAllBlockEventsAndSensors = true</P><P> EnableNvramWrite = false</P><P> EnableAclLogging = false</P><P> AllowSensorBlock = false</P><P> BlockMaxEntries = 250</P><P> MaxDeviceInterfaces = 250</P><P> NetDevice</P><P> Type = Cisco</P><P> IP = 1.2.3.4</P><P> NATAddr = 0.0.0.0</P><P> Communications = telnet</P><P> ResponseCapabilities = block</P><P> BlockInterface</P><P> InterfaceName = ethernet1</P><P> InterfaceDirection = in</P><P> InterfacePreBlock = pre_acl_name</P><P> InterfacePostBlock = post_acl_name</P><P></P></BODY></HTML> Tue, 20 Mar 2007 14:54:39 GMT https://community.cisco.com/t5/network-security/blocking-error-msg/m-p/692122#M87202 jlively 2007-03-20T14:54:39Z https://community.cisco.com/t5/network-security/blocking-error-msg/m-p/692123#M87203 <HTML><HEAD></HEAD><BODY><P>here is my sh config output:</P><P></P><P>username admin</P><P>exit</P><P>router-devices 205.170.225.249</P><P>communication ssh-3des</P><P>profile-name mainrouter</P><P>block-interfaces FastEthernet0/0 in</P><P>pre-acl-name Pre-Block</P><P>post-acl-name Post-Block</P><P>exit</P><P>response-capabilities block</P><P>exit</P><P></P></BODY></HTML> Tue, 20 Mar 2007 15:06:51 GMT https://community.cisco.com/t5/network-security/blocking-error-msg/m-p/692123#M87203 siscisco05 2007-03-20T15:06:51Z https://community.cisco.com/t5/network-security/blocking-error-msg/m-p/692124#M87204 <HTML><HEAD></HEAD><BODY><P>ids# show stat net</P><P>Current Configuration</P><P> LogAllBlockEventsAndSensors = true</P><P> EnableNvramWrite = false</P><P> EnableAclLogging = true</P><P> AllowSensorBlock = false</P><P> BlockMaxEntries = 250</P><P> MaxDeviceInterfaces = 250</P><P> NetDevice</P><P> Type = Cisco</P><P> IP = 205.170.225.249</P><P> NATAddr = 0.0.0.0</P><P> Communications = ssh-3des</P><P> ResponseCapabilities = block</P><P> BlockInterface</P><P> InterfaceName = FastEthernet0/0</P><P> InterfaceDirection = in</P><P> InterfacePreBlock = Pre-Block</P><P> InterfacePostBlock = Post-Block</P><P></P></BODY></HTML> Tue, 20 Mar 2007 15:09:00 GMT https://community.cisco.com/t5/network-security/blocking-error-msg/m-p/692124#M87204 siscisco05 2007-03-20T15:09:00Z https://community.cisco.com/t5/network-security/blocking-error-msg/m-p/692125#M87205 <HTML><HEAD></HEAD><BODY><P>try connecting with telnet instead of 3-des. Sometimes ARC gets confused with 3-des connect problems and reports an incorrect error. If telnet will work, then we can work on getting the 3-des working. Speaking of 3-des, you did log into the cli, conf t and ssh host 205.170.225.249 command right? That is necessary to get the key so ARC can connect to the router</P></BODY></HTML> Tue, 20 Mar 2007 16:08:03 GMT https://community.cisco.com/t5/network-security/blocking-error-msg/m-p/692125#M87205 jlively 2007-03-20T16:08:03Z https://community.cisco.com/t5/network-security/blocking-error-msg/m-p/692126#M87206 <HTML><HEAD></HEAD><BODY><P>Ok I have changed the communication from 3-des to telnet. Do you know of an internal test that I can do to make sure the error msg. has been fixed?</P><P></P><P>Also, I did create a key for the 3-des.</P><P></P><P>Thanks for the help.</P></BODY></HTML> Tue, 20 Mar 2007 17:16:30 GMT https://community.cisco.com/t5/network-security/blocking-error-msg/m-p/692126#M87206 siscisco05 2007-03-20T17:16:30Z https://community.cisco.com/t5/network-security/blocking-error-msg/m-p/692127#M87207 <HTML><HEAD></HEAD><BODY><P>In IDM under the monitoring tab, there is a place to add manual blocks. If you monitor with the cli as you add the block with IDM, you should see the action takes place. You can also look on the router and see if ARC built and attached an acl to the interface. Since you specified a pre/post acl, the one ARC created should look like:</P><P>sensor ip address</P><P>contents of pre-acl</P><P>active blocks</P><P>contents of post acl</P><P></P><P>Make sure your post acl has "permit ip any any" as the last line.</P></BODY></HTML> Tue, 20 Mar 2007 18:04:53 GMT https://community.cisco.com/t5/network-security/blocking-error-msg/m-p/692127#M87207 jlively 2007-03-20T18:04:53Z https://community.cisco.com/t5/network-security/blocking-error-msg/m-p/692128#M87208 <HTML><HEAD></HEAD><BODY><P>when I tried to add a manual block, in the event log through the IDM I still receive the error msg. "Unable to execute a net block <IP> on <ROUTER ip=""> because no blocking interfaces are configured" </ROUTER></IP></P><P>"Unable to execute a net block <IP> because blocking is not configured"</IP></P><P></P><P>Which interfaces are they talking about the IDS interface or the router interfaces?</P><P></P><P>Thanks</P></BODY></HTML> Tue, 20 Mar 2007 19:31:38 GMT https://community.cisco.com/t5/network-security/blocking-error-msg/m-p/692128#M87208 siscisco05 2007-03-20T19:31:38Z https://community.cisco.com/t5/network-security/blocking-error-msg/m-p/692129#M87209 <HTML><HEAD></HEAD><BODY><P>Let's back up. Let's try this at it's most basic. First, does your router support ip access-list extended command ? 2. What version software are you running on the sensor? 3. Try removing the pre and post acls from the sensor config using idm (leave them on the router). 4. Is this the only device you are connecting to? (There are other issues that sometimes occur if you are managing a pix and a router.) </P></BODY></HTML> Tue, 20 Mar 2007 20:47:15 GMT https://community.cisco.com/t5/network-security/blocking-error-msg/m-p/692129#M87209 jlively 2007-03-20T20:47:15Z https://community.cisco.com/t5/network-security/blocking-error-msg/m-p/692130#M87210 <HTML><HEAD></HEAD><BODY><P>1. the router does support Ip access-list extended.</P><P></P><P>2. software version - 6.0(1)</P><P></P><P>3. I have removed the pre and post acls through the idm, kept them on the router.</P><P></P><P>4.This is the only device . </P><P></P><P>Thanks for your help</P><P></P></BODY></HTML> Tue, 20 Mar 2007 22:34:36 GMT https://community.cisco.com/t5/network-security/blocking-error-msg/m-p/692130#M87210 siscisco05 2007-03-20T22:34:36Z https://community.cisco.com/t5/network-security/blocking-error-msg/m-p/692131#M87211 <HTML><HEAD></HEAD><BODY><P>Any change in stats messages? Can you post your full show stat net output? If is not working, the next thing we need to try is a packet capture of the traffic between the sensor and the router so I can figure out where things are breaking down. </P></BODY></HTML> Wed, 21 Mar 2007 20:03:00 GMT https://community.cisco.com/t5/network-security/blocking-error-msg/m-p/692131#M87211 jlively 2007-03-21T20:03:00Z https://community.cisco.com/t5/network-security/blocking-error-msg/m-p/692132#M87212 <HTML><HEAD></HEAD><BODY><P>ids# show stat net</P><P>Current Configuration</P><P> LogAllBlockEventsAndSensors = true</P><P> EnableNvramWrite = false</P><P> EnableAclLogging = true</P><P> AllowSensorBlock = false</P><P> BlockMaxEntries = 250</P><P> MaxDeviceInterfaces = 250</P><P> NetDevice</P><P> Type = Cisco</P><P> IP = 205.170.225.249</P><P> NATAddr = 0.0.0.0</P><P> Communications = telnet</P><P> ResponseCapabilities = block</P><P> BlockInterface</P><P> InterfaceName = FastEthernet0/0</P><P> InterfaceDirection = in</P><P>State</P><P> BlockEnable = true</P><P> NetDevice</P><P> IP = 205.170.225.249</P><P> AclSupport = uses Named ACLs</P><P> Version = 0</P><P> State = Inactive</P><P></P><P>I never noticed this before, it says the state is Inactive. How do you change it to actvie.</P><P></P><P></P><P></P></BODY></HTML> Wed, 21 Mar 2007 22:12:52 GMT https://community.cisco.com/t5/network-security/blocking-error-msg/m-p/692132#M87212 siscisco05 2007-03-21T22:12:52Z https://community.cisco.com/t5/network-security/blocking-error-msg/m-p/692133#M87213 <HTML><HEAD></HEAD><BODY><P>It will be inactive until we get the interface issue resolved. Can you send me a packet capture of the arc traffic? </P><P>have 2 cli sessions open.</P><P>in the first session:</P><P>conf t</P><P>serv net</P><P>gen</P><P>block-enable false</P><P>exit</P><P>exit</P><P>save changes yes (this stops arc)</P><P></P><P>now start the packet capture in the other window:</P><P>packet capture <MANAGEMENT interface="" name=""> snaplen 1600 expr host 205.170.225.249</MANAGEMENT></P><P>this will start capturing traffic going to the router you are trying to manage. Now start arc back up in the other window.</P><P></P><P>conf t</P><P>serv net</P><P>gen</P><P>block-enable true</P><P>exit</P><P>exit</P><P>yes ( will start it back up ). </P><P></P><P>Wait for a couple minutes, then do a ctrl c on the packet capture.</P><P> use the copy the command to send the packet capture file to a remote machine.</P><P></P><P>email me the file (<A href="mailto:jlively@cisco.com">jlively@cisco.com</A>)</P><P></P></BODY></HTML> Thu, 22 Mar 2007 14:36:34 GMT https://community.cisco.com/t5/network-security/blocking-error-msg/m-p/692133#M87213 jlively 2007-03-22T14:36:34Z https://community.cisco.com/t5/network-security/blocking-error-msg/m-p/692134#M87214 <HTML><HEAD></HEAD><BODY><P>Thanks for your help, this issue has been solved. I found out that telnet was disabled on the router. Also had to open the ports on the firewall. I am now able to block. </P><P></P><P>Thanks for all of your help. </P></BODY></HTML> Thu, 22 Mar 2007 17:57:40 GMT https://community.cisco.com/t5/network-security/blocking-error-msg/m-p/692134#M87214 siscisco05 2007-03-22T17:57:40Z