Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1014
Views
11
Helpful
8
Replies

IPS don't see any traffic

Adam David
Level 1
Level 1

‎06-20-2011 12:14 AM - edited ‎03-10-2019 05:22 AM

Hi all,

I’ve configured IPS module in Cisco ASA firewall, unfortunately for unknown reason, I can’t see any network traffic hit the IPS.

I can see the number of packet is increase by issuing “show interface” command, but there is no traffic hit the IPS when I issue “show statistics analysis-engine” command. 

IPS-A# sh int gigabitEthernet0/1 | i Total Packets Received
   Total Packets Received = 107449498
IPS-A# sh int gigabitEthernet0/1 | i Total Packets Received
   Total Packets Received = 107449511
IPS-A# sh stat analysis-engine 
Analysis Engine Statistics
   Number of seconds since service started = 13836300
   The rate of TCP connections tracked per second = 0
   The rate of packets per second = 0
   The rate of bytes per second = 0
   Receiver Statistics
      Total number of packets processed since reset = 0
      Total number of IP packets processed since reset = 0
   Transmitter Statistics
      Total number of packets transmitted = 0
      Total number of packets denied = 0
      Total number of packets reset = 0
   Fragment Reassembly Unit Statistics
      Number of fragments currently in FRU = 0
      Number of datagrams currently in FRU = 0
   TCP Stream Reassembly Unit Statistics
      TCP streams currently in the embryonic state = 0
      TCP streams currently in the established state = 0
      TCP streams currently in the closing state = 0
      TCP streams currently in the system = 0
      TCP Packets currently queued for reassembly = 0
   The Signature Database Statistics.
      Total nodes active = 0
      TCP nodes keyed on both IP addresses and both ports = 0
      UDP nodes keyed on both IP addresses and both ports = 0
      IP nodes keyed on both IP addresses = 0
   Statistics for Signature Events
      Number of SigEvents since reset = 0
   Statistics for Actions executed on a SigEvent
      Number of Alerts written to the IdsEventStore = 0
   Inspection Stats

Please let me know if you need to know more info.

Any advise would be appreciated, thanks.

Labels:
0 Helpful
8 Replies 8

Jennifer Halim
Cisco Employee
Cisco Employee

‎06-20-2011 12:19 AM

Please check on the IPS itself that you have enabled the Virtual Sensor. It is not enabled by default, and you have to enable it.

Adam David
Level 1
Level 1
In response to Jennifer Halim

‎06-20-2011 02:11 AM

Thanks Jennifer for your prompt reply. I've checked on CSM > Virtual Sensors and found that it already has been assigned to GigabitEthernet0/1 interface.

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to Adam David

‎06-20-2011 05:04 AM

can you also check if under Interface Configuration --> Interfaces --> GigabitEthernet0/1 has also been enabled as well.

Adam David
Level 1
Level 1
In response to Jennifer Halim

‎06-20-2011 08:56 PM

I've checked both and confirmed that GigabitEthernet0/1 has been assigned to the IPS. Attached is the screenshot for your reference. Is there anything else I can do to fix this? Thanks

Interfaces

Virtual Sensors

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to Adam David

‎06-20-2011 10:37 PM

Hmm, that looks like it has been correctly configured.

Can you please share a copy of "show run" from the ASA, and also "show tech" from the AIP module. Thanks.

0 Helpful

Dustin Ralich
Cisco Employee
Cisco Employee
In response to Adam David

‎06-21-2011 06:32 AM 

I've checked both and confirmed that GigabitEthernet0/1 has been assigned to the IPS. Attached is the screenshot for your reference. Is there anything else I can do to fix this?

After making this change in CSM, have you submitted and deployed it to the sensor? If not, go ahead and Submit and Deploy, then confirm whether the issue remains.

As Jennifer noted, a 'show tech' command output from the sensor can help confirm this (it will include a 'show stat virtual' command output which will indicate if the sensing interface is in-fact assigned on the live sensor).

Finally, is this AIP-SSM sensor module installed in a standalone ASA or an Active/Standby failover pair? If the latter, then you'll want to ensure that you are working on the module installed in the Active ASA (the AIP-SSM sensor modules do not currently replicate/synchronize their configuration like the ASAs do, and must each be configured).

0 Helpful

agent2007
Level 1
Level 1
In response to Dustin Ralich

‎06-29-2011 06:41 AM

Hi Jenifer,

I have an ssc-5 in an asa 5505 and looks like its not assigned the default sensor.  can you please tell me where I change this please

0 Helpful

agent2007
Level 1
Level 1

‎06-29-2011 06:51 AM

its OK I got it :-)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card