topic Re: S246 caused sensor to stop passing traffic in Network Security

S246 caused sensor to stop passing traffic

jshelmer — Sun, 10 Mar 2019 10:11:05 GMT

I applied S246 to AIP-SSM-10's this evening. The AIP-SSM-10's are running 5.1(2). The update said it was successful, but after it completed it caused all traffic going through the sensor to drop. I've stopped sending traffic through the sensor from the ASA, but what's the next step?

sh ver tell me that MainApp and AnalysisEngine are Running. What's the next step to troubleshoot?

Re: S246 caused sensor to stop passing traffic

ssnapp — Thu, 24 Aug 2006 13:45:53 GMT

The first thing to do is log into the CLI and look at output from "show int" to see if any traffic is getting to the sensor. Specifically look for Total Packets Received from the sensing interface. Then look at "show stat virt" to see if any traffic is getting into the virtual sensor.

It is also possible you didn't wait long enough for the sig update to complete. It could take a while to rebuild certain cache files even after reporting a successful update, and during that time the sensor would not be passing any traffic.

If you can't determine what is going on from the "show int" and "show stat virt", your best bet is to collect a "show tech" from both the ASA and the SSM module and open a TAC case so that the support engineers can look at it.

Re: S246 caused sensor to stop passing traffic

jshelmer — Thu, 24 Aug 2006 18:18:05 GMT

Thanks for the pointers. It appears that traffic is getting to the sensor interface, but is getting marked as errors.

kssnchqips2# sh int gigabitEthernet0/1

MAC statistics from interface GigabitEthernet0/1

Interface function = Sensing interface

Description =

Media Type = backplane

Missed Packet Percentage = 100

Inline Mode = Unpaired

Pair Status = N/A

Link Status = Up

Link Speed = Auto_1000

Link Duplex = Auto_Full

Total Packets Received = 1054106281

Total Bytes Received = 1025753691656

Total Multicast Packets Received = 0

Total Broadcast Packets Received = 0

Total Jumbo Packets Received = 0

Total Undersize Packets Received = 0

Total Receive Errors = 3934

Total Receive FIFO Overruns = 57

Total Packets Transmitted = 1054104717

Total Bytes Transmitted = 1025753383141

Total Multicast Packets Transmitted = 0

Total Broadcast Packets Transmitted = 0

Total Jumbo Packets Transmitted = 0

Total Undersize Packets Transmitted = 0

Total Transmit Errors = 0

Total Transmit FIFO Overruns = 0

kssnchqips2#

The "Total Packets Received" counter is not incrementing.

But the "Total Bytes Received" counter is going up.

The "Total Receive Errors" also increment with each packet I send to the IPS.

Re: S246 caused sensor to stop passing traffic

ssnapp — Thu, 24 Aug 2006 20:23:11 GMT

The only time I have seen something like this after a sig update was when the service account was used to ifconfig up the sensing interface in order to use tcpdump directly on the sensing interface.

Please get a "show tech" from the sensor and open a TAC case. Have the TAC engineer escalate this to IPS development so we can look at the information.

After getting a show tech, can you reset (reboot) the sensor to reload the interface drivers and see if this resolves it?

Re: S246 caused sensor to stop passing traffic

jshelmer — Fri, 25 Aug 2006 13:33:42 GMT

Thank you.

The "sh tech" has been attached to case 604241911.