no traffic on IPS promiscuous

Volodymyr Morskyy · ‎11-05-2012

Hi,

Have a 5545X with 5545-IPS module. It is up, updateing signatures but there are no packets checked on it. On the sensor side I'm confused that hardware/software version is shown as N/A. ASA config:

access-list test extended permit ip interface outside any

class-map test-class

match access-list test

policy-map global_policy

class test-class

ips promiscuous fail-open sensor vs0

service-policy global_policy global

all show statistics commands (engine, host, etc) on IPS show 0 in packets so it seems like traffic is not passed to IPS from ASA. Global policy output

on ASA shows the same:

Global policy:

Service-policy: global_policy

Class-map: test-class

IPS: card status UP, license status Enabled, mode promiscuous fail-open, sensor vs0

packet input 0, packet output 0, drop 0, reset-drop 0

What can prevent global-policy to do it job?

Thank s

sawgupta · ‎11-05-2012

On the IPS side, is the PortChannel assigned to vs0 ?

service analysis-engine

virtual-sensor vs0

physical-interface PortChannel0/0

exit

Regards,

Sawan Gupta

Thanks & Regards, Sawan Gupta

Volodymyr Morskyy · ‎11-06-2012

Hi Sawan,

It is assigned. I have no idea why nothing is matched with my policy, and even access-list shows 0 packet counts.

regards,

Volodymyr

sawgupta · ‎11-06-2012

You could use following sample config on ASA:

class-map all-traffic-class

match access-list all-traffic

policy-map pro-fail-open

class all-traffic-class

ips promiscuous fail-open

set connection advanced-options tmap

service-policy pro-fail-open global

Regards,

Sawan Gupta

Thanks & Regards, Sawan Gupta

Volodymyr Morskyy · ‎11-06-2012

Hi,

Can you show access-list all-traffic?

Thanks

Volodymyr Morskyy · ‎01-02-2013

Seem like you cannot use interface names in the config and networks should be specified.