Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
959
Views
0
Helpful
7
Replies

IPS Errors

Bethuelle
Level 1
Level 1

‎07-18-2011 07:23 AM - edited ‎03-10-2019 05:24 AM

Hi to ye all,

I an ASA 5520 with an AIP-SSM-10 module. Blocking Host Connection has been activated on some signatures and I get the following errors in the diagrams below. I'll like to know their cause and what I can do to solve them

Error3.jpg

Error4.jpg

Error5.jpg

Error6.jpg

thanks for your help

Labels:
0 Helpful
7 Replies 7

rhermes
Level 7
Level 7

‎07-18-2011 09:55 AM

It looks like you are trying to shun to a PIX firewall.

Have you added the PX to the allowed hosts and the PIX's TLS and SSH keys in the sensor?

Allowed Hosts:

conf t

service host

access-list 192.168.0.1/24 (ip address of your PIX)

exit

exit [yes]

config

Adding TLS and SSH keys:

conf t

ssh host-key 192.168.0.1

tls trusted-host ip-addess 192.168.0.1

- Bob

0 Helpful

Bethuelle
Level 1
Level 1
In response to rhermes

‎07-20-2011 12:14 AM

Hye rhermes,

no i haven't done all that. it's an ASA 5520 firewall

0 Helpful

rhermes
Level 7
Level 7
In response to Bethuelle

‎07-20-2011 08:23 AM

Even if you are shunning to an ASA you will need to perform those tasks.

- Bob

0 Helpful

Bethuelle
Level 1
Level 1
In response to rhermes

‎07-21-2011 03:51 AM

Hye Bob,

When i try generating the trusted key I get this error

0 Helpful

Bethuelle
Level 1
Level 1
In response to Bethuelle

‎07-21-2011 04:10 AM

Also I have been encountering the following phenomena. See screen captures

In the 1st Screen Capture, it says the source address couldn't be blocked but it was finally blocked so i do not understand what caused that message.

As for the 2nd Screen Capture, when Connection Block Enabled is at True, the Host is not blocked but when it'a at false, the host is blocked. I do not quite understand.

Thanks for all your tips in advance.

bye

0 Helpful

rhermes
Level 7
Level 7
In response to Bethuelle

‎07-21-2011 06:50 AM

Don't worry about the TLS connections, those are used between sensors when you make one sensor a Master Blocking Sensor (they need a trust relationship). Is you sensor ssh'ed into your firewall?

you can check with this command (or there should be soem GUI version of this as well). Look for the bold active:

IDSM-slot6# sh stat network-access

Current Configuration

   LogAllBlockEventsAndSensors = true

   EnableNvramWrite = false

   EnableAclLogging = false

   AllowSensorBlock = false

   BlockMaxEntries = 250

   MaxDeviceInterfaces = 250

   NetDevice

   Type = Cisco

     IP = 10.0.0.113

     NATAddr = 0.0.0.0

     Communications = ssh-3des

     ResponseCapabilities = block

     BlockInterface

         InterfaceName = vlan101

         InterfaceDirection = out

     BlockInterface

         InterfaceName = vlan102

         InterfaceDirection = out

State

   BlockEnable = true

   NetDevice

     IP = 10.0.0.113

     AclSupport = uses Named ACLs

     Version = 12.2

     State = Active

- Bob

0 Helpful

Bethuelle
Level 1
Level 1
In response to rhermes

‎07-21-2011 08:06 AM

           ASA

            interface GigabitEthernet0/1.1

            nameif inside

            security-level 100

ip address 192.168.0.1 255.255.255.128

ASA (Config): ssh 192.168.0.20 255.255.255.255 inside

            AIP-SSM

            Sensor (Config) # ssh host-key 192.168.0.1

            Find above the existing configuration in my ASA5520 and AIP-SSM-10

            I have also added the ASA 5520 (192.168.0.1) to the list of Allowed Hosts

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card