Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
588
Views
0
Helpful
4
Replies

IDS router blocking problem

stevechen
Level 1
Level 1

‎07-04-2005 12:08 PM - edited ‎03-10-2019 01:31 AM

I am working on IDS-4210 version 4.1(1)S47. when I tried to configure router blocking, I encounterred some problems. This is what I found, after I configured blocking device, IDS sensor command "show statistics networkaccess" displayed "state = active". However, after I configured blocking interface, the same command displayed "state = inactive". I assume inactive state means sensor can not control the router. any ideas on how to solve the problem?

any help appreciated

Labels:
0 Helpful
4 Replies 4

markb
Level 1
Level 1

‎07-11-2005 10:30 PM

It isn't easy to confirm connectivity, (it was in ver 3), I assume you can ping the router from the sensor, if you create a manual block on the sensor it should create the access-list on the router, if it is not created I'd look at the syslog out put on the router to see if there is any attempt at connecting. Also I'd use basic telnet to connect to the router at first.

I had similar issues connecting to Pix’s, I eventually raised a TAC case and the engineer created a super user account on the device and was able to telnet to the blocking device.

I hope this helps.

Regards

Mark

0 Helpful

stevechen
Level 1
Level 1
In response to markb

‎07-12-2005 12:08 AM

Hi mark:

Thanks for your help. the sensor can connect to the router, comfirmed by "show user" command.

the crazy thing was that "show statistic netaccess" command displayed "state = active". but it turned to inactive soon as I configured blocking interface. and I verified interface names matched between router and IDS sensor.

0 Helpful

markb
Level 1
Level 1
In response to stevechen

‎07-12-2005 12:26 AM

So are you happy that it's working ?

I'm just playing with ver 5 and having issues, there seems to be scant documentation. Ver 3 was based on Solaris and was very useable,it had a window showing the connection status between sensor and blocking devices.

Best of luck

Mark

0 Helpful

marcabal
Cisco Employee
Cisco Employee
In response to markb

‎07-12-2005 11:19 AM

Version 5.0 has improved logging capabilities for tracking Blocking issues: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids11/cliguide/cliblock.htm#wp1041645

Here is a quick method to try and track what errors might be happening:

1) Check to ensure that log-all-block-events-and-errors is configured for true.

2) Connect to the sensor through the CLI and execute "show events"

3) Connect to the sensor through IDM.

4) Within IDM go to the Monitoring window for Host Blocks, and add a new IP Address to have Blocked.

5) Now look through the events in the CLI "show events" output to see if the block was successful on each device being managed. If a block was unsuccessful on a device it should provide some error information that should help in identifying the possible error being encountered.

Side Notes:

If the reason for an unsuccessful Block was because of connectivity problems, then you can create a service account on the service "user service privelage service".

Then login as the service account, and try to connect to the device being managed using the same method (telnet or ssh) as well as the same usernames and passwords. And verify that the service account is able to login to the end device. If you can't connect from the service account, then the problem may be in the configuration of the end device being managed.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card