Solved: Interfaces reset when disable signature.

jmp780718 · ‎08-13-2013

Hi Guys.

When i ingress the next script in order to disable signature, the interfaces of the Ips cisco 4240 are restart, someone have any clue is so extrange just for disabling an signature?

config term

service signature-definition sig0

signatures 9202 0

status

enabled false

exit

Aug 13 23:59:35.229: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/25, changed state to up

Aug 13 23:59:35.280: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/26, changed state to up

GigabitEthernet1/0/25 is up, line protocol is up (connected)

Hardware is Gigabit Ethernet, address is e8b7.4843.b099 (bia e8b7.4843.b099)

Description: **** IPS-A ****

GigabitEthernet1/0/26 is up, line protocol is up (connected)

Hardware is Gigabit Ethernet, address is e8b7.4843.b09a (bia e8b7.4843.b09a)

Description: **** IPS-B ****

Tahnk you.

gaurash2 · ‎08-16-2013

Check the image attached.Hope it helps:

View solution in original post

jmp780718 · ‎08-13-2013

Both interfaces belongs to IPS A:

Aug 13 23:59:35.229: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/25, changed state to up

Aug 13 23:59:35.280: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/26, changed state to up

interface GigabitEthernet1/0/25

description **** IPS-A ****

interface GigabitEthernet2/0/26

description **** IPS-A ****

Julio Carvajal · ‎08-13-2013

Hello,

What version are you running?

Does it only happen with that signature?

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

jmp780718 · ‎08-13-2013

Hi.

At this moment i just try to do that to disable the signature.

! ------------------------------

! Current configuration last modified Tue Aug 13 18:02:59 2013

! ------------------------------

! Version 7.0(5a)

! Host:

! Realm Keys key1.0

! Signature Definition:

! Signature Update S609.0 2011-11-11

! ------------------------------

service interface

physical-interfaces GigabitEthernet0/0

admin-state enabled

duplex full

speed 1000

subinterface-type inline-vlan-pair

subinterface 1

vlan1 10

vlan2 11

exit

physical-interfaces GigabitEthernet0/1

admin-state enabled

duplex full

speed 1000

subinterface-type inline-vlan-pair

subinterface 1

vlan1 10

vlan2 11

exit

bypass-mode off

exit

gaurash2 · ‎08-14-2013

The interfaces flap because of the bypass mode off setting. When you tune a signature ( enable/disable) , sensor goes into bypass. With bypass-mode off , the interface will go down when the sensor goes intp bypass and remain down unitl sensor is out of bypass.

You will not see this when the bypass-mode is Auto.

jmp780718 · ‎08-15-2013

Hi.

Is safe to disable de singnature 9202?

Thank you.

jmp780718 · ‎08-15-2013

Hi.

If i add an exclusion the IPS has the same symptom of shutdown the Interfaces?.

Thank you.

gaurash2 · ‎08-16-2013

Hi There,

I am not sure what do you mean by exclusion.But the behavior you are observing is generic in the way , that whenever you enable/disable any signature ( or perform signature package upgrade) in bypass off mode ; it will lead to interface flap.

You may choose bypass mode auto. In this case the interfaces will not flap.

Thanks and Regards,

Gaurav.

jmp780718 · ‎08-16-2013

I'm trying to permit just one flow of traffic that is blocking the Ips thru a rule that subtract the acctions of the firm, that will be cause an interfaces falp?

Sent from Cisco Technical Support iPad App

gaurash2 · ‎08-16-2013

It should not.

jmp780718 · ‎08-16-2013

how to create an rule with action to subtract from the event log of Ips manager express console?, do you know?

Thank you.

Sent from Cisco Technical Support iPad App

gaurash2 · ‎08-16-2013

Check the image attached.Hope it helps: