11-05-2012 05:23 AM - edited 03-10-2019 05:48 AM
Hi,
Have a 5545X with 5545-IPS module. It is up, updateing signatures but there are no packets checked on it. On the sensor side I'm confused that hardware/software version is shown as N/A. ASA config:
access-list test extended permit ip interface outside any
class-map test-class
match access-list test
policy-map global_policy
class test-class
ips promiscuous fail-open sensor vs0
service-policy global_policy global
all show statistics commands (engine, host, etc) on IPS show 0 in packets so it seems like traffic is not passed to IPS from ASA. Global policy output
on ASA shows the same:
Global policy:
Service-policy: global_policy
Class-map: test-class
IPS: card status UP, license status Enabled, mode promiscuous fail-open, sensor vs0
packet input 0, packet output 0, drop 0, reset-drop 0
What can prevent global-policy to do it job?
Thank s
11-05-2012 09:12 PM
On the IPS side, is the PortChannel assigned to vs0 ?
service analysis-engine
virtual-sensor vs0
physical-interface PortChannel0/0
exit
exit
Regards,
Sawan Gupta
11-06-2012 01:22 AM
Hi Sawan,
It is assigned. I have no idea why nothing is matched with my policy, and even access-list shows 0 packet counts.
regards,
Volodymyr
11-06-2012 04:43 AM
You could use following sample config on ASA:
class-map all-traffic-class
match access-list all-traffic
policy-map pro-fail-open
class all-traffic-class
ips promiscuous fail-open
set connection advanced-options tmap
service-policy pro-fail-open global
Regards,
Sawan Gupta
11-06-2012 05:27 AM
Hi,
Can you show access-list all-traffic?
Thanks
01-02-2013 06:52 AM
Seem like you cannot use interface names in the config and networks should be specified.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: