04-26-2015 05:21 AM - edited 03-11-2019 10:50 PM
I have ASA-5512-IPS, and i configured the asa to forward traffic to the IPS in inline mode. but i don't see anything on ips reports that indicates that there is a traffic pass. all reports are 0 in the IME software, which is not right i suppose. Is reporting in IPS/IME disabled by default ? and I have to enable it ? how ?
anyone can help me get this right ?
here is my ASA configuration to direct traffic to IPS
class-map global-class
match any
policy-map global_policy
class global-class
ips inline fail-open sensor vs0
Service-policy global_policy global
Anything else should I do ?
04-26-2015 07:06 AM
What does the module status show in "show module"?
04-26-2015 11:54 PM
ASA# sho module
Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
0 ASA 5512-X with SW, 6 GE Data, 1 GE Mgmt, AC ASA5512
ips ASA 5512-X IPS Security Services Processor ASA5512-IPS
cxsc Unknown N/A FCH1804J3AE
Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ ---------------
0 18e7.282e.f082 to 18e7.282e.f089 1.0 2.1(9)8 9.1(1)
ips 18e7.282e.f080 to 18e7.282e.f080 N/A N/A 7.1(3)E4
cxsc 18e7.282e.f080 to 18e7.282e.f080 N/A N/A
Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
ips IPS Up 7.1(3)E4
cxsc Unknown No Image Present Not Applicable
Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
0 Up Sys Not Applicable
ips Up Up
cxsc Unresponsive Not Applicable
Mod License Name License Status Time Remaining
---- -------------- --------------- ---------------
ips IPS Module Enabled perpetual
ASA#
04-27-2015 04:17 AM
Hi,
I think this verifies that the IPS is UP.
You shoudl be able to see the packet increment in the "show service-policy" output for the IPS policy if the ASA device is redirecting the packets successfully to the IPS.
I would suggest checking that output.
Thanks and Regards,
Vibhor Amrodia
04-28-2015 04:08 AM
Here is the output of this command, and yes it is incrementing periodically, but I see no drops at all !!!
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns preset_dns_map, packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: ftp, packet 532, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: h323 h225 _default_h323_map, packet 12, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: h323 ras _default_h323_map, packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: rsh, packet 4, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: rtsp, packet 12, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: esmtp _default_esmtp_map, packet 134, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: sqlnet, packet 1381454, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: skinny , packet 4, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: sunrpc, packet 8, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: xdmcp, packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: sip , packet 8, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: netbios, packet 16582, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: tftp, packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: ip-options _default_ip_options_map, packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: icmp, packet 78636, lock fail 0, drop 12, reset-drop 0, v6-fail-close 0
Inspect: icmp error, packet 96, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
Class-map: global-class
IPS: card status Up, license status Enabled, mode inline fail-open, sensor vs0
packet input 4405732, packet output 4405732, drop 0, reset-drop 30
04-28-2015 05:53 AM
Hi,
This isolates the issue on the IME. I don't think it is the redirection policy causing any issues.
You should check the IME and it might be some Database corruption etc on the IME end.
Try the basic troubleshooting like restarting the IME and services but after that i would suggest going for a TAC case.
Thanks and Regards,
Vibhor Amrodia
04-28-2015 11:56 AM
I tried two IME versions on two PCs and all the same. so I don't know what is it.
Do you know any other software for IPS reporting ? and btw I can't use ASDM for some reason. It always says unable to load sensor.
04-28-2015 12:51 PM
I tried two IME versions on two PCs and all the same. so I don't know what is it.
Do you know any other software for IPS reporting ? and btw I can't use ASDM for some reason. It always says unable to load sensor.
05-08-2015 02:51 AM
I found the solution by coincidence, I changed the security level of management interface on ASA from 100 to 0 and suddenly all reports started to appear on IME. I don't know why, this what happened.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide