Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
441
Views
0
Helpful
2
Replies

NAC shuns ignoring event filters with sp5 sig191

randy.manning
Level 1
Level 1

‎09-27-2005 08:50 AM - edited ‎03-10-2019 01:39 AM

When I upgraded from sp 4 to sp 5 sig 189, I noticed NAC wouldn't shun connections, but hosts? Well, anyway... On Friday 9/23, upgrading from sig189 to sig191, my event filters for 3030 (which is configured to initiate a shun for that alert) stopped working and IDS started shunning servers that were once "protected" by the associated event filter. I downgraded back to 190 and the event filter started working again.

This ring a bell for anyone?

Labels:
0 Helpful
2 Replies 2

ibanezm
Level 1
Level 1

‎09-28-2005 07:09 AM

The event actions on 4.1(4) and 4.1(5) are the same:

log

reset

shunHost

shunConnection

ZERO

I just tested that event action configurations (including shunHost and shunConnection) are merged from 4.1(4) to 4.1(5)S189 to 4.1(5)S191. I configured additional signatures in each version and they were all preserved.

0 Helpful

randy.manning
Level 1
Level 1
In response to ibanezm

‎09-28-2005 09:35 AM

By preserved, I guess you mean that all is working for you.

I checked the configuration, all the commands (NAC, event filters) and they do appear in the configuration, but it appears as if the list is being ignored and sending a shun request to our firewall anyway. I opened a TAC case on this matter.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card