cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2071
Views
0
Helpful
6
Replies

Cisco ASA IPS Connection Events always shows reason column blank

Kirk
Beginner
Beginner

When I look at connection events the Reason field is always blank.  Is there anyway to correlate this with a line in the Access Control policy?  If not what is the field for and how may I use it?

 

Thanks,

Kirk 

1 Accepted Solution

Accepted Solutions

Marvin Rhoads
VIP Community Legend VIP Community Legend
VIP Community Legend

Sorry - Denison hijacked your thread and asked about IME (IPS Manager Express). I didn't notice the changed username when I replied to his question.

 

Regarding events in FMC, you are correct about the column labeled "Reason". It is a bit misleading since it will only ever show "IP Block, IP Monitor, or User Bypass" - i.e the Security Intelligence reasons.

 

However when you are blocked (or allowed) the relevant Access Control Policy and Rule still shows up in the table view of connection events. It is in a column that is by default off to the right and you normally need to scroll horizontally to see it (awful user interface design I know).

 

You can customize the view or make a report to move those columns over. See the Table View section in my example report snippet below - I created a rule in my Lab ACP policy to block Facebook and then tried to access it and was duly blocked. The report shows which policy and rule I encountered.

 

FMC Connection report.PNG

 

 

View solution in original post

6 Replies 6

Marvin Rhoads
VIP Community Legend VIP Community Legend
VIP Community Legend

Typically we only see a reason for a block. Allow events don't show one.

 

You can always use packet tracer (in 6.2+) to see exactly what ACP rule is hit.

Even blocks are showing as blank.

Hi kirk,

 

Can you please let me now where can I find the reason column for comparing purpose, I am using IME 7.2.7

Sorry - I incorrectly assumed you were using the current product, not the old IPS. That one is almost end of life.

 

I don't recall off the top of my head how or if you can see block reason on that in near real time. I know it should be a reportable item.