I tried two IME versions on

AboudMokh · ‎04-26-2015

I have ASA-5512-IPS, and i configured the asa to forward traffic to the IPS in inline mode. but i don't see anything on ips reports that indicates that there is a traffic pass. all reports are 0 in the IME software, which is not right i suppose. Is reporting in IPS/IME disabled by default ? and I have to enable it ? how ?

anyone can help me get this right ?

here is my ASA configuration to direct traffic to IPS

class-map global-class
match any

policy-map global_policy

class global-class
ips inline fail-open sensor vs0

Service-policy global_policy global

Anything else should I do ?

Marvin Rhoads · ‎04-26-2015

What does the module status show in "show module"?

AboudMokh · ‎04-26-2015

ASA# sho module

Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
0 ASA 5512-X with SW, 6 GE Data, 1 GE Mgmt, AC ASA5512
ips ASA 5512-X IPS Security Services Processor ASA5512-IPS
cxsc Unknown N/A FCH1804J3AE

Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ ---------------
0 18e7.282e.f082 to 18e7.282e.f089 1.0 2.1(9)8 9.1(1)
ips 18e7.282e.f080 to 18e7.282e.f080 N/A N/A 7.1(3)E4
cxsc 18e7.282e.f080 to 18e7.282e.f080 N/A N/A

Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
ips IPS Up 7.1(3)E4
cxsc Unknown No Image Present Not Applicable

Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
0 Up Sys Not Applicable
ips Up Up
cxsc Unresponsive Not Applicable

Mod License Name License Status Time Remaining
---- -------------- --------------- ---------------
ips IPS Module Enabled perpetual

ASA#

Vibhor Amrodia · ‎04-27-2015

Hi,

I think this verifies that the IPS is UP.

You shoudl be able to see the packet increment in the "show service-policy" output for the IPS policy if the ASA device is redirecting the packets successfully to the IPS.

I would suggest checking that output.

Thanks and Regards,

Vibhor Amrodia

AboudMokh · ‎04-28-2015

Here is the output of this command, and yes it is incrementing periodically, but I see no drops at all !!!

Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns preset_dns_map, packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: ftp, packet 532, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: h323 h225 _default_h323_map, packet 12, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: h323 ras _default_h323_map, packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: rsh, packet 4, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: rtsp, packet 12, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: esmtp _default_esmtp_map, packet 134, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: sqlnet, packet 1381454, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: skinny , packet 4, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: sunrpc, packet 8, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: xdmcp, packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: sip , packet 8, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: netbios, packet 16582, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: tftp, packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: ip-options _default_ip_options_map, packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: icmp, packet 78636, lock fail 0, drop 12, reset-drop 0, v6-fail-close 0
Inspect: icmp error, packet 96, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0
Class-map: global-class
IPS: card status Up, license status Enabled, mode inline fail-open, sensor vs0
packet input 4405732, packet output 4405732, drop 0, reset-drop 30

Vibhor Amrodia · ‎04-28-2015

Hi,

This isolates the issue on the IME. I don't think it is the redirection policy causing any issues.

You should check the IME and it might be some Database corruption etc on the IME end.

Try the basic troubleshooting like restarting the IME and services but after that i would suggest going for a TAC case.

Thanks and Regards,

Vibhor Amrodia

AboudMokh · ‎04-28-2015

I tried two IME versions on two PCs and all the same. so I don't know what is it.

Do you know any other software for IPS reporting ? and btw I can't use ASDM for some reason. It always says unable to load sensor.

AboudMokh · ‎04-28-2015

I tried two IME versions on two PCs and all the same. so I don't know what is it.

Do you know any other software for IPS reporting ? and btw I can't use ASDM for some reason. It always says unable to load sensor.

AboudMokh · ‎05-08-2015

I found the solution by coincidence, I changed the security level of management interface on ASA from 100 to 0 and suddenly all reports started to appear on IME. I don't know why, this what happened.

How to correctly direct traffic from ASA To IPS and display reporting