IDSM-2 Join windows domain problem

ola · ‎02-22-2009

We are running a IDSM-2 module in a 6509 with vlan inline interface pairs.

Everything looks fine until we try to join a server to the 2003 domain.

I can't see the IPS dropping anything, but we get "network path not found" after entering the credentials for joining. If I set the IPS to bypass it works as it should. The software on the IPS is 6.2(1)E3 and all the servers are windows 2003. Greatful for any ideas of how to solve this.

rhermes · ‎02-23-2009

This post from antonyabraham in another thread might help:

Replied by: antonyabraham - STATE FARM - Feb 12, 2009, 5:59pm PST

There could be some normalizer engine events which can drop/modify traffic without firing an alert. Some of them seem to be on by default. Could you try enabling "produce alerts" on the normalizer signatures with deny or modify actions?

Another way would be to put an event action filter for the source or target (or both) and filter out all deny actions. In that way, you are telling the sensor do not block any traffic from or to certain IP address (based on how the filter is formed). I would use this filter to cover all signatures and sub signatures for the source/target in question.

ola · ‎02-23-2009

Thanks, I have enabled produce alerts and will see if that give me any clue to what is wrong.

ola · ‎03-09-2009

Actually, some traffic passed the sensor twice. So changing from virtual sensor mode to interface and vlan mode fixed the problem.