08-24-2015 01:06 PM - edited 03-10-2019 06:26 AM
We are currently using an IPS (SSP-10) on an ASA 5585-X in promiscuous mode. Whenever we change the IPS ton inline mode using "ips inline fail-open", it completely blocks all traffic going through the ASA. The IPS is currently working because we are getting alerts on multiple different types of traffic. According to Cisco TAC, once the units are turned to inline mode it may take up to 20 minutes for the traffic to correctly flow through the ASA, but to me this doesn't make any sense. Here is the config:
policy-map INSIDE-policy
class INSIDE-class
inspect ftp
policy-map global_policy
class inspection_default
inspect ftp
inspect waas
inspect pptp
class ddos
set connection per-client-embryonic-max 10
class IPS_CLASS
ips promiscuous fail-open
class class-default
user-statistics accounting
policy-map OUTSIDE-policy
class OUTSIDE-class
inspect ftp
policy-map DMZ-policy
class DMZ-class
inspect ftp
----------------------------
class-map IPS_CLASS
match access-list IPS_INSPECTION
----------------------------
access-list IPS_INSPECTION extended permit ip any any
11-21-2015 12:21 PM
Dear Chris
Are you able to resolve the problem of traffic blocking while changing the IPS mode from promiscous to inline.
We have ASA-5585-X-SSP40, currently the IPS is running in promiscous mode and now we want to change the mode from promiscous mode to inline mode. I want to know is there any impact on the traffic of changing the IPS mode to inline mode. Is there any precautions needs to be taken care while changing the IPS mode to inline mode.
11-23-2015 01:23 PM
We resolved the problem. To make a long story short, the IPS was blocking traffic after we changed from promiscuous to inline mode. A cisco TAC engineer told us that it could take up to 20 minutes for the traffic to "properly pass through" but he was incorrect. After troubleshooting with another engineer, we discovered we were actually hitting an ASA bug in 9.1(6). After upgrading asa code, it worked. Changing from promiscuous to inline did not cause an issue and it took only seconds for the traffic to converge through the IPS.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide