Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
898
Views
5
Helpful
6
Replies

IPS fail

Go to solution
engahmedsaied
Level 1
Level 1

‎01-19-2016 02:07 AM - edited ‎03-10-2019 06:32 AM

hello all,

I face a  problem when IPS fail all network behind it be not accessible,

so how can I check capability of box to support both 

1-hardware bypass.

2-software bypass.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions
6 Replies 6

Go to solution
Karsten Iwen
VIP
VIP

‎01-19-2016 04:21 AM

1) Which platform are you using? Not all support HW-bypass. You should find the needed information in the Data-Sheet of your platform.

2) In the configuration of you system. And that is (again) dependent of the platform you use.

0 Helpful

Go to solution
engahmedsaied
Level 1
Level 1
In response to Karsten Iwen

‎01-19-2016 04:32 AM

cisco IPS 4510 - 7.3(4)E4

is show tech-support command is useful ?

I have found that below every interface "hardware bypass capable = NO"

Is this tells that interface not supported in hardware bypass or hardware not set to that interface

0 Helpful

Go to solution
engahmedsaied
Level 1
Level 1
In response to Karsten Iwen

‎01-19-2016 04:46 AM

thank you Karsten

last question in case of software bypass it can work on interface vlan pair ?

or require interface pair or this doesn't matter in case of software bypass

I know that software bypass will work in case of service engine stopped but if device rebooted due to time changing or anything will it work ?

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to engahmedsaied

‎01-19-2016 05:00 AM

Yes, it works with vlan pairs. But be aware that the usecase for software bypass is a situation where the software still has full control of the system. If the signatures are updated, bypass can be used to make sure that no traffic is dropped.

But in every situation where the software doesn't have any control, software bypass can't work. That includes software-updates where the sensor reboots of failed/crashed IPS-software.

0 Helpful

Go to solution
abdallah malas
Level 1
Level 1

‎01-21-2016 09:03 AM

Hello,

I had a similar situation where I had a CX Module + Cisco Prime Security Manager with Next Generation IPS.

At the beginning when the CX Module Fails (IPS) no traffic is allowed.

I was able to overcome this problem by doing the following changes to the Policy-map:

I added "cxsc fail-open" this means if the model goes down the firewall will not pass the traffic through the model for inspection any more.

Initially it was "cxsc fail-close". After I did this change everything went well.

Hope this helps,

Best Regards,

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card