Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2752
Views
0
Helpful
3
Replies

AIP-SSM card not processing events from ASA

snowmizer
Level 1
Level 1

‎03-10-2011 11:46 AM - edited ‎03-10-2019 05:17 AM

I'm trying to set up the AIP-SSM-10 card in my ASA 5510 at my DR site. I have setup the inspection policy and ACLs to redirect traffic to the AIP-SSM from my ASA. When I do a show access-list my hit count is growing. This tells me that my ASA is sending events. After this I also ran "setup" on my AIP-SSM and set it up for monitoring. Everything matches the setup of my IPS module in my ASA at our home office (which is working fine).

Everything appeared to be good....I can login and manage the module. However, when I look at the sensor health it shows critical because the "event retrieval" shows that no events have been retrieved from my ASA. When I look in "monitoring" on my IPS module there aren't any events listed that would pertain to actual alerts from the IPS. The only thing listed are errors from before I got stuff set up on the module.

When I run "show statistics event-server" it says "event-server disabled". I have a feeling this has something to do with my issue. What am I missing to get my IPS module to start processing events?

Thanks.

Labels:
0 Helpful
3 Replies 3

Aastha Chaudhary
Cisco Employee
Cisco Employee

‎03-14-2011 04:51 PM

Hi,

The event retrieval metric keeps track of when the last event was retrieved by an external monitoring application such as IME. As far as the event retrieval status showing RED is concerned, this simply means that no outside software has been configured to pull events off of the sensor for archiving purposes.To correct this either you can disable event retrieval policy if you are not doing external event monitoring or you'll need to configure such software.  While there are 3rd party offerings to retrieve events using the SDEE protocol, Cisco offers a free product for small deployments called IPS Manager Express or just "IME":

http://www.cisco.com/cisco/software/release.html?mdfid=282052550&catid=268438162&softwareid=282829584

(grab the 7.1.1 version)

You'll want to install this software on a dedicated machine that's never shut off and has network connectivity to the sensor management IP.  When you launch the application you'll need to add the sensor (which just involves defining some basic parameters like IP/user/pass) and then the IME software will begin retrieving events from the sensor. Once the IME software successfully connects, the alert you're seeing on the sensor should go away. The IME software has a help option in the menu containing the documentation on how to use it.You can also reference the following documentation:

http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/ime/imeguide.html

Hope this helps.

Thanks,
Aastha

0 Helpful

snowmizer
Level 1
Level 1
In response to Aastha Chaudhary

‎04-08-2011 08:50 AM

We were able to get this resolved. We modified the ACLs allowing traffic out of our firewall and then we weren't seeing any events. Turns out that everything was working properly. The problem was that we aren't seeing as many attacks come into our DR firewall as we are our production firewall because our ISP filters traffic.

Thanks for the help.

0 Helpful

Aastha Chaudhary
Cisco Employee
Cisco Employee
In response to snowmizer

‎04-08-2011 09:30 AM

Thanks for your response. Glad to know that the issue is resolved

Cheers,
Aastha

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card