Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1311
Views
5
Helpful
2
Replies

Cisco IPS Blocking Traffic in Inline Mode

Chris Russo
Level 1
Level 1

‎08-24-2015 01:06 PM - edited ‎03-10-2019 06:26 AM

We are currently using an IPS (SSP-10) on an ASA 5585-X in promiscuous mode. Whenever we change the IPS ton inline mode using "ips inline fail-open", it completely blocks all traffic going through the ASA. The IPS is currently working because we are getting alerts on multiple different types of traffic. According to Cisco TAC, once the units are turned to inline mode it may take up to 20 minutes for the traffic to correctly flow through the ASA, but to me this doesn't make any sense. Here is the config:

 


policy-map INSIDE-policy
 class INSIDE-class
  inspect ftp
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect waas
  inspect pptp
 class ddos
  set connection per-client-embryonic-max 10
 class IPS_CLASS
  ips promiscuous fail-open
 class class-default
  user-statistics accounting
policy-map OUTSIDE-policy
 class OUTSIDE-class
  inspect ftp
policy-map DMZ-policy
 class DMZ-class
  inspect ftp

----------------------------

class-map IPS_CLASS
 match access-list IPS_INSPECTION

----------------------------

access-list IPS_INSPECTION extended permit ip any any

 

 

 

 

Labels:
0 Helpful
2 Replies 2

Farooq Razzaque
Level 1
Level 1

‎11-21-2015 12:21 PM

Dear Chris

Are you able to resolve the problem of traffic blocking while changing the IPS mode from promiscous to inline.

We have ASA-5585-X-SSP40, currently the IPS is running in promiscous mode and now we want to change the mode from promiscous mode to inline mode. I want to know is there any impact on the traffic of changing the IPS mode to inline mode. Is there any precautions needs to be taken care while changing the IPS mode to inline mode.

0 Helpful

Chris Russo
Level 1
Level 1
In response to Farooq Razzaque

‎11-23-2015 01:23 PM

We resolved the problem. To make a long story short, the IPS was blocking traffic after we changed from promiscuous to inline mode. A cisco TAC engineer told us that it could take up to 20 minutes for the traffic to "properly pass through" but he was incorrect. After troubleshooting with another engineer, we discovered we were actually hitting an ASA bug in 9.1(6). After upgrading asa code, it worked. Changing from promiscuous to inline did not cause an issue and it took only seconds for the traffic to converge through the IPS.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card